You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucy.apache.org by "Nick Wellnhofer (JIRA)" <ji...@apache.org> on 2015/10/20 13:02:27 UTC

[lucy-issues] [jira] [Created] (CLOWNFISH-62) Crash when passing Perl variable as decremented arg

Nick Wellnhofer created CLOWNFISH-62:
----------------------------------------

             Summary: Crash when passing Perl variable as decremented arg
                 Key: CLOWNFISH-62
                 URL: https://issues.apache.org/jira/browse/CLOWNFISH-62
             Project: Apache Lucy-Clownfish
          Issue Type: Bug
          Components: Perl
    Affects Versions: 0.4.0, 0.5.0
            Reporter: Nick Wellnhofer


Passing a Perl variable to a method that takes a "decremented" argument results in a use-after-free. Example

{noformat}
perl -MClownfish -e 'Clownfish::Vector->new->push("abc")'
{noformat}

Analysis:

- A Clownfish "stack" string is created from the string value of the Perl variable.
- The stack string is passed to Vec_Push.
- The stack string is never incref'd.
- The copy-on-incref mechanism isn't invoked.
- When the Vector is destroyed, the stack string is decref'd, accessing random stack memory.

A possible solution is to forgo the stack string optimization for decremented arguments.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)