Bug#624689: perl: segfaults (dereferencing a null pointer) while evaluating a pattern match

Sat, 30 Apr 2011 09:36:20 -0700 

Package: perl
Version: 5.10.1-20
Severity: normal

*** Please type your report below this line ***
In the piece of code I'm running, an object's DESTROY method has various
cleanup that it is doing.  As part of that cleanup, it calls through
various functions and ends up evaluating a pattern match.  This pattern
match, the last line in the below snippet, ends up crashing Perl.

The pattern match works fine when called directly in the DESTROY,
instead of through a series of other function calls, and in various
other scenarios.

I initially saw the bug at work (on Windows) using Perl 5.8.9, Perl
5.10.1, and Perl 5.12.1.  I'm reporting it here since perl-debug made it
easy for me to get a backtrace to provide.

   sub isIPv4OrIPv6
   {
       my ($ipString) = @_;

       my $ip_regex_ipv4 = '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$';
       my $ip_regex_ipv6 = 
'^\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}[:\w]{0,5}[:\w]{0,5}[:\w]{0,5}$';
       my $ip_regex_v6ll = 
'^\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}[:\w]{0,5}[:\w]{0,5}%\w+$';

       if ($ipString =~ m/$ip_regex_ipv4/i) {

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.38-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages perl depends on:
ii  libbz2-1.0              1.0.5-6          high-quality block-sorting file co
ii  libc6                   2.11.2-11        Embedded GNU C Library: Shared lib
ii  libdb4.7                4.7.25-17        Berkeley v4.7 Database Libraries [
ii  libgdbm3                1.8.3-9          GNU dbm database routines (runtime
ii  perl-base               5.10.1-20        minimal Perl system
ii  perl-modules            5.10.1-20        Core Perl modules
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages perl recommends:
ii  netbase                       4.45       Basic TCP/IP networking system

Versions of packages perl suggests:
pn  libterm-readline-gnu-perl | l <none>     (no description available)
ii  make                          3.81-8.1   An utility for Directing compilati
ii  perl-doc                      5.10.1-20  Perl documentation

-- no debconf information

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <james...@debian.org>

(gdb) bt full
#0  0x082a3078 in S_swash_get (my_perl=0x99c1008, swash=0xd9ef59c, start=0, 
span=128) at utf8.c:1885
        swatch = 0x8187715
        l = 0x0
        lend = 0x2e3d9658 <Address 0x2e3d9658 out of bounds>
        x = 0xd52613c "10"
        xend = 0x99c1008 "\244\230\200\r\360F"
        s = 0x31 <Address 0x31 out of bounds>
        lcur = 0
        xcur = 0
        scur = 228059168
        hv = 0x0
        listsvp = 0x0
        typesvp = 0x0
        bitssvp = 0x0
        nonesvp = 0x0
        extssvp = 0x0
        typestr = 0x9 <Address 0x9 out of bounds>
        typeto = 228521004
        bits = 32
        octets = 7
        none = 3213325128
        end = 24
#1  0x082a2982 in Perl_swash_fetch (my_perl=0x99c1008, swash=0xd9ef59c, 
ptr=0xd52613c "10", do_utf8=1 '\001') at utf8.c:1824
        code_point = 49
        svp = 0x0
        hv = 0x0
        klen = 0
        off = 49
        slen = 0
        needents = 128
        tmps = 0x0
        bit = 228433996
        swatch = 0xd9ef42c
        tmputf8 = "\000"
        c = 49
#2  0x08287187 in S_find_byclass (my_perl=0x99c1008, prog=0xa004c54, 
c=0xa004d10, s=0xd52613c "10", strend=0xd52613e "", reginfo=0xbf8775e4) at 
regexec.c:1477
        doevery = 1
        m = 0xb77aefa1 "\201\303S\260"
        ln = 3213325992
        lnc = 161223872
        uskip = 1
        c1 = 16
        c2 = 135821096
        e = 0xbf8775b8 "\330v\207\277\265\270(\b\b\020\234\tTL"
        tmp = 1
        do_utf8 = 1 '\001'
        progi = 0xa004cfc
#3  0x0828b8b5 in Perl_regexec_flags (my_perl=0x99c1008, prog=0xa004c54, 
stringarg=0xd52613c "10", strend=0xd52613e "", strbeg=0xd52613c "10", minend=0, 
sv=0xd51c264, data=0x0, flags=3) at regexec.c:2085
        s = 0xd52613c "10"
        c = 0xa004d10
        startpos = 0xd52613c "10"
        minlen = 1
        dontbother = 0
        end_shift = 0
        scream_pos = -1
        scream_olds = 0x0
        do_utf8 = 1 '\001'
        multiline = 0
        progi = 0xa004cfc
        reginfo = {prog = 0xa004c54, bol = 0xd52613c "10", till = 0xd52613c 
"10", sv = 0xd51c264, ganch = 0xb76cdbbd "e\203=\f", cutpoint = 0x0}
        swap_on_fail = 0 '\000'
        re_debug_flags = 0
#4  0x08173f64 in Perl_pp_match (my_perl=0x99c1008) at pp_hot.c:1359
        sp = 0xd8098a4
        targ = 0xd51c264
        pm = 0xa0046f0
        dynpm = 0xa0046f0
        t = 0xd52613c "10"
        s = 0xd52613c "10"
        strend = 0xd52613e ""
        global = 0
        r_flags = 3
        truebase = 0xd52613c "10"
        rx = 0xa004c54
        rxtainted = 0 '\000'
        gimme = 0
        len = 2
        minmatch = 0
        oldsave = 141
        update_minmatch = 1
        had_zerolen = 0
        gpos = 0
#5  0x08130e14 in Perl_runops_debug (my_perl=0x99c1008) at dump.c:1968
No locals.
#6  0x0808d1c4 in Perl_call_sv (my_perl=0x99c1008, sv=0xd6067fc, flags=150) at 
perl.c:2717
        sp = 0xd8098a0
        myop = {op_next = 0x0, op_sibling = 0x0, op_ppaddr = 0, op_targ = 0, 
op_type = 0, op_opt = 0, op_latefree = 0, op_latefreed = 0, op_attached = 0, 
op_spare = 0, op_flags = 65 'A', op_private = 0 '\000', op_first = 0x0, 
op_other = 0xbf8778c8}
        method_op = {op_next = 0xd84860c, op_sibling = 0x4, op_ppaddr = 
0x8131c62 <Perl_safesysfree+343>, op_targ = 228035824, op_type = 252, op_opt = 
0, op_latefree = 1, op_latefreed = 1, op_attached = 0, op_spare = 4, op_flags = 
151 '\227', op_private = 13 '\r', op_first = 0x0}
        oldmark = 0
        retval = 0
        oldscope = 2
        oldcatch = 1 '\001'
        ret = 0
        oldop = 0x0
        cur_env = {je_prev = 0x99c117c, je_buf = {{__jmpbuf = {0, 0, 0, 
-1081640616, -620842677, -978522588}, __mask_was_saved = 0, __saved_mask = 
{__val = {0, 0, 3213326472, 255, 0, 0, 3213326472, 135659754, 161222664, 
161317480, 0, 0, 0, 3077364669, 3077350678, 9364644, 3078225908, 0, 3213326520, 
135651881, 161222664, 161317480, 3077350678, 134633156, 3078230944, 3078225908, 
3078230944, 228069228, 3213326536, 137576992, 0, 137576960}}}}, je_ret = 0, 
je_mustcatch = 0 '\000'}
#7  0x081a8b98 in Perl_sv_clear (my_perl=0x99c1008, sv=0xd9fa52c) at sv.c:5433
        tmpref = 0xd84860c
        destructor = 0xd6067fc
        sp = 0xd8098a0
        stash = 0xd638d2c
        type = 12
        sv_type_details = 0x8334260
        stash = 0xb76cdbbd
#8  0x081aa26d in Perl_sv_free2 (my_perl=0x99c1008, sv=0xd9fa52c) at sv.c:5694
No locals.
#9  0x081aa17c in Perl_sv_free (my_perl=0x99c1008, sv=0xd9fa52c) at sv.c:5670
No locals.
#10 0x08184a96 in do_clean_objs (my_perl=0x99c1008, ref=0xd9ec97c) at sv.c:499
        target = 0xd9fa52c
#11 0x08184570 in S_visit (my_perl=0x99c1008, f=0x8184605 <do_clean_objs>, 
flags=2048, mask=2048) at sv.c:441
        svend = 0xd9ece8c
        sv = 0xd9ec97c
        sva = 0xd9ebe9c
        visited = 611
#12 0x08185390 in Perl_sv_clean_objs (my_perl=0x99c1008) at sv.c:549
No locals.
#13 0x08087238 in perl_destruct (my_perl=0x99c1008) at perl.c:833
        destruct_level = 0 '\000'
        hv = 0x99c1008
#14 0x080647ea in main (argc=13, argv=0xbf877d34, env=0xbf877d6c) at 
perlmain.c:119
        exitstatus = 0
(gdb) frame 1
#1  0x082a2982 in Perl_swash_fetch (my_perl=0x99c1008, swash=0xd9ef59c, 
ptr=0xd52613c "10", do_utf8=1 '\001') at utf8.c:1824
1824                swatch = swash_get(swash,
(gdb) p *swash
$1 = {sv_any = 0xd9ef5a8, sv_refcnt = 1, sv_flags = 4, sv_u = {svu_iv = 0, 
svu_uv = 0, svu_rv = 0x0, svu_pv = 0x0, svu_array = 0x0, svu_hash = 0x0, svu_gp 
= 0x0}}

Attachment: signature.asc
Description: Digital signature

Reply via email to