You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucy.apache.org by "Nick Wellnhofer (JIRA)" <ji...@apache.org> on 2015/10/20 13:02:27 UTC
[lucy-issues] [jira] [Created] (CLOWNFISH-62) Crash when passing Perl variable as
decremented arg
Nick Wellnhofer created CLOWNFISH-62:
----------------------------------------
Summary: Crash when passing Perl variable as decremented arg
Key: CLOWNFISH-62
URL: https://issues.apache.org/jira/browse/CLOWNFISH-62
Project: Apache Lucy-Clownfish
Issue Type: Bug
Components: Perl
Affects Versions: 0.4.0, 0.5.0
Reporter: Nick Wellnhofer
Passing a Perl variable to a method that takes a "decremented" argument results in a use-after-free. Example
{noformat}
perl -MClownfish -e 'Clownfish::Vector->new->push("abc")'
{noformat}
Analysis:
- A Clownfish "stack" string is created from the string value of the Perl variable.
- The stack string is passed to Vec_Push.
- The stack string is never incref'd.
- The copy-on-incref mechanism isn't invoked.
- When the Vector is destroyed, the stack string is decref'd, accessing random stack memory.
A possible solution is to forgo the stack string optimization for decremented arguments.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)