Nick Wellnhofer created CLOWNFISH-62:
----------------------------------------
Summary: Crash when passing Perl variable as decremented arg
Key: CLOWNFISH-62
URL: https://issues.apache.org/jira/browse/CLOWNFISH-62
Project: Apache Lucy-Clownfish
Issue Type: Bug
Components: Perl
Affects Versions: 0.4.0, 0.5.0
Reporter: Nick Wellnhofer
Passing a Perl variable to a method that takes a "decremented" argument results
in a use-after-free. Example
{noformat}
perl -MClownfish -e 'Clownfish::Vector->new->push("abc")'
{noformat}
Analysis:
- A Clownfish "stack" string is created from the string value of the Perl
variable.
- The stack string is passed to Vec_Push.
- The stack string is never incref'd.
- The copy-on-incref mechanism isn't invoked.
- When the Vector is destroyed, the stack string is decref'd, accessing random
stack memory.
A possible solution is to forgo the stack string optimization for decremented
arguments.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
