develooper Front page | perl.par | Postings from September 2008

Re: [rt.cpan.org #39233] Suspected buffer overflow while running executable made by Par::Packer

Thread Previous | Thread Next
From:
Steffen Mueller via RT
Date:
September 16, 2008 07:13
Subject:
Re: [rt.cpan.org #39233] Suspected buffer overflow while running executable made by Par::Packer
Message ID:
rt-3.6.HEAD-11521-1221502863-620.39233-15-0@rt.cpan.org
Mon Sep 15 14:21:03 2008: Request 39233 was acted upon.
Transaction: Correspondence added by wyp3rlx02@sneakemail.com
       Queue: PAR
     Subject: Re: [rt.cpan.org #39233] Suspected buffer overflow while running executable made by Par::Packer
   Broken in: (no value)
    Severity: (no value)
       Owner: Nobody
  Requestors: dave_clarke@merck.com
      Status: open
 Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=39233 >


Hi Dave,

Clarke, Dave S via RT wrote:
>        Queue: PAR
>  Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=39233 >
[...]
> I did take a second look at the regexp.  If you knew what I was trying
> to parse, you may not think it was quite so diabolocal.

Well, I wasn't considering your goal diabolical nor the means, but the
specific regular expression which, according to the expert, uses a (C)
stack frame per character which is a major issue.

From what I know, it's quite possible that the condition is being
triggered *both* with- and without PAR::Packer. In the PAR::Packer case,
more code has been run, the whole script is essentially running inside
an 'eval""'. Maybe the problem just manifests earlier in that case? I'm
just speculating, though. Are you seeing the problem when you're running
the generated executable on the exact same system or is it a different
computer or OS installation?

> The example you sent looked like it was using an experimental feature
> [?>] -- or maybe I'm looking at old documentation.

You're right. In 5.8.8, this is marked as "highly experimental". I don't
have a 5.10.0 handy, but I suspect it's not experimental any more. In
5.11.0, that construct is absolutely not flagged as experimental any more!

Given that the advice came from the person who wrote almost all of the
improvements in the regexp engine for 5.10.0, he'd naturally use
advanced feaetures.

> Anyways, I have a good solution to the problem for now.  However, there
> was a difference between the way the interpreted perl code ran, and the
> .exe created by Par::Packer.  If I can create a simple script, and .exe
> that I can forward to you, I will.  

Reporting the issue was entirely valid, no doubts. If you can produced a
simple script, that would be much appreciated. I'll mark the issue as
resolved, but a simple reply will reopen the ticket.

Best regards,
Steffen


Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About