[CLOWNFISH-62] Crash when passing Perl variable as decremented arg - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.4.0, 0.5.0
Fix Version/s: 0.5.0
Component/s: Perl
Labels:
None

Description

Passing a Perl variable to a method that takes a "decremented" argument results in a use-after-free. Example

perl -MClownfish -e 'Clownfish::Vector->new->push("abc")'

Analysis:

A Clownfish "stack" string is created from the string value of the Perl variable.
The stack string is passed to Vec_Push.
The stack string is never incref'd.
The copy-on-incref mechanism isn't invoked.
When the Vector is destroyed, the stack string is decref'd, accessing random stack memory.

A possible solution is to forgo the stack string optimization for decremented arguments.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Nikolas Wellnhofer

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/Oct/15 11:02

Updated:: 04/Nov/15 12:37

Resolved:: 04/Nov/15 12:37