binary_to_term can crash the VM

Matthias Lang matthias@REDACTED
Thu Feb 2 00:13:21 CET 2006


I recall binary_to_list being fixed to be able to cope with 'bad'
binaries a few years ago. But I stumbled across another way to crash

  2> binary_to_term(<<131,109,255,255,255,255>>).
  Segmentation fault

This can bite when code such as 'rb' calls binary_to_term on corrupt

  /usr/local/src/otp_src_R10B-8/bin/erl -boot start_sasl
  Eshell V5.4.10  (abort with ^G)
  1> c(crash).
  2> crash:go().
  rb: reading report...Segmentation fault

I haven't tried making dets fail, but I bet 'rb' isn't the only thing
which uses binary_to_term on data it can't be sure it created.


(FWIW: I don't use 'log_mf_handler' or 'rb' in production systems
because of past problems. This seems like another good reason to give
them a miss.)


go() ->
  file:write_file("/tmp/zap/index", <<1>>),
  %% simulate a corrupt logfile
  file:write_file("/tmp/zap/1", <<0,6,131,109,255,255,255,255>>),
  rb:start([{report_dir, "/tmp/zap"}]),

More information about the erlang-questions mailing list