Bug#575318: Bug in formline with dynamic PICTURE argument
Roland Kuhn
rk at rkuhn.info
Wed Mar 24 21:18:45 UTC 2010
Package: perl
Version: 5.10.0-19lenny2
When trying to dynamically build a PICTURE argument as suggested in `man perlform`, strange things happen depending on the input:
=========================================================================
www-data at rk:~$ cat bug.pl
#!/usr/bin/perl -wT
use strict;
my $maxline = shift;
formline '@'.'<'x$maxline.' | @*', 'hallo', 'welt';
print "$^A\n";
www-data at rk:~$ ./bug.pl 20
hallo | welt
www-data at rk:~$ ./bug.pl 21
Segmentation fault
www-data at rk:~$ ./bug.pl 22
Segmentation fault
www-data at rk:~$ ./bug.pl 23
*** glibc detected *** /usr/bin/perl: realloc(): invalid next size: 0x00000000006272a0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7fa183b7d928]
/lib/libc.so.6[0x7fa183b81521]
/lib/libc.so.6(realloc+0x12f)[0x7fa183b81f9f]
/usr/lib/libperl.so.5.10(Perl_safesysrealloc+0x3f)[0x7fa18458d1df]
/usr/lib/libperl.so.5.10(Perl_sv_grow+0x76)[0x7fa1845c29b6]
/usr/lib/libperl.so.5.10(Perl_sv_catpvn_flags+0x13b)[0x7fa1845c450b]
/usr/lib/libperl.so.5.10(Perl_sv_catsv_flags+0x112)[0x7fa1845c8332]
/usr/lib/libperl.so.5.10(Perl_pp_formline+0xf9e)[0x7fa1845ec32e]
/usr/lib/libperl.so.5.10(Perl_runops_standard+0x12)[0x7fa1845ab392]
/usr/lib/libperl.so.5.10(perl_run+0x30f)[0x7fa1845a65df]
/usr/bin/perl(main+0xdc)[0x400d0c]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fa183b281a6]
/usr/bin/perl[0x400b69]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fe:01 3605056 /usr/bin/perl
00601000-00602000 rw-p 00001000 fe:01 3605056 /usr/bin/perl
00602000-00644000 rw-p 00602000 00:00 0 [heap]
7fa17c000000-7fa17c021000 rw-p 7fa17c000000 00:00 0
7fa17c021000-7fa180000000 ---p 7fa17c021000 00:00 0
7fa1836bb000-7fa1836d1000 r-xp 00000000 fe:01 6242307 /lib/libgcc_s.so.1
7fa1836d1000-7fa1838d1000 ---p 00016000 fe:01 6242307 /lib/libgcc_s.so.1
7fa1838d1000-7fa1838d2000 rw-p 00016000 fe:01 6242307 /lib/libgcc_s.so.1
7fa1838d2000-7fa1838da000 r-xp 00000000 fe:01 6242651 /lib/libcrypt-2.7.so
7fa1838da000-7fa183ada000 ---p 00008000 fe:01 6242651 /lib/libcrypt-2.7.so
7fa183ada000-7fa183adc000 rw-p 00008000 fe:01 6242651 /lib/libcrypt-2.7.so
7fa183adc000-7fa183b0a000 rw-p 7fa183adc000 00:00 0
7fa183b0a000-7fa183c54000 r-xp 00000000 fe:01 6242654 /lib/libc-2.7.so
7fa183c54000-7fa183e53000 ---p 0014a000 fe:01 6242654 /lib/libc-2.7.so
7fa183e53000-7fa183e56000 r--p 00149000 fe:01 6242654 /lib/libc-2.7.so
7fa183e56000-7fa183e58000 rw-p 0014c000 fe:01 6242654 /lib/libc-2.7.so
7fa183e58000-7fa183e5d000 rw-p 7fa183e58000 00:00 0
7fa183e5d000-7fa183e73000 r-xp 00000000 fe:01 6242657 /lib/libpthread-2.7.so
7fa183e73000-7fa184073000 ---p 00016000 fe:01 6242657 /lib/libpthread-2.7.so
7fa184073000-7fa184075000 rw-p 00016000 fe:01 6242657 /lib/libpthread-2.7.so
7fa184075000-7fa184079000 rw-p 7fa184075000 00:00 0
7fa184079000-7fa1840fb000 r-xp 00000000 fe:01 6242659 /lib/libm-2.7.so
7fa1840fb000-7fa1842fa000 ---p 00082000 fe:01 6242659 /lib/libm-2.7.so
7fa1842fa000-7fa1842fc000 rw-p 00081000 fe:01 6242659 /lib/libm-2.7.so
7fa1842fc000-7fa1842fe000 r-xp 00000000 fe:01 6242643 /lib/libdl-2.7.so
7fa1842fe000-7fa1844fe000 ---p 00002000 fe:01 6242643 /lib/libdl-2.7.so
7fa1844fe000-7fa184500000 rw-p 00002000 fe:01 6242643 /lib/libdl-2.7.so
7fa184500000-7fa184666000 r-xp 00000000 fe:01 3605096 /usr/lib/libperl.so.5.10.0
7fa184666000-7fa184865000 ---p 00166000 fe:01 3605096 /usr/lib/libperl.so.5.10.0
7fa184865000-7fa18486e000 rw-p 00165000 fe:01 3605096 /usr/lib/libperl.so.5.10.0
7fa18486e000-7fa18488a000 r-xp 00000000 fe:01 6242646 /lib/ld-2.7.so
7fa184943000-7fa184a7d000 r--p 00000000 fe:01 3621796 /usr/lib/locale/locale-archive
7fa184a7d000-7fa184a81000 rw-p 7fa184a7d000 00:00 0
7fa184a86000-7fa184a89000 rw-p 7fa184a86000 00:00 0
7fa184a89000-7fa184a8b000 rw-p 0001b000 fe:01 6242646 /lib/ld-2.7.so
7ffffffe9000-7fffffffe000 rw-p 7ffffffea000 00:00 0 [stack]
7fffffffe000-7ffffffff000 r-xp 7fffffffe000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
www-data at rk:~$
=========================================================================
It fails in the same way when constructing the PICTURE first in a variable and passing that, and it happens also when putting the variable into a HERE document.
The problem does not happen when replacing $maxline with a literal 24 in the formline call. Also, running formline with a static PICTURE of the corresponding size, the dynamic version works afterwards. This problem seems to be architecture independent, as I've seen similarly strange behavior on MacOS X (only without the nice stack trace).
I'm running an up-to-date lenny system with all security patches.
kernel: 2.6.26-2-amd64
glibc: 2.7-18lenny2
More information about the Perl-maintainers
mailing list