Front page | perl.perl5.porters |
Postings from August 2009
The code in pp_ctl.c after calling an @INC hook blindly asumes that the
SV setted by the user in %INC is an SVPV (SvPOK true) for setting
the filename.
So when the user uses other scalar types, the output of __FILE__, warn,
die, caller, etc. shows random garbage.
Present in:
perl 5.10.0 and 5.10.1-RC2
(Introduced in 5.9.5)
How to reproduce:
#!/usr/bin/perl -w
package BAR;
use overload '""' => sub { $_[0]->{f} };
sub FOO::INC {
my($s, $f)=@_;
if($f =~ /^(Sn[io]p)\.pm$/) {
open(my $fh,
qq(echo "package $1; sub t { __FILE__ } 1;" |)
);
$INC{$f} = $f eq 'Snip.pm' ? $f : bless({f=>$f}, 'BAR');
warn "Synthetic $INC{$f}\n";
return $fh;
}
return
}
push @INC, bless({},'FOO');
require Snip;
print "$INC{'Snip.pm'}=",Snip::t(),"\n";
require Snop;
print "$INC{'Snop.pm'}=",Snop::t(),"\n";
__END__
Priority: High
The bug exposes a pointer to random memory.
Proposed Patch:
--- perl-5.10.1-RC2/pp_ctl.c.orig 2009-07-03 07:22:58.000000000 -0500
+++ perl-5.10.1-RC2/pp_ctl.c 2009-08-20 15:37:56.000000000 -0500
@@ -3308,9 +3308,9 @@
/* Adjust file name if the hook has set an %INC entry */
svp = hv_fetch(GvHVn(PL_incgv), name, len, 0);
if (svp)
- tryname = SvPVX_const(*svp);
+ tryname = SvPV_nolen_const(*svp);
if (count > 0) {
int i = 0;
SV *arg;
Comments?
Salvador Ortiz
Thread Next