develooper Front page | perl.perl5.porters | Postings from September 2016

Re: [perl #129267] Possible string overrun with invalid len in gv.c

Thread Previous | Thread Next
From:
demerphq
Date:
September 13, 2016 18:54
Subject:
Re: [perl #129267] Possible string overrun with invalid len in gv.c
Message ID:
CANgJU+W0eO3y25tsZQ_yM2h7Vm9T=dhnXVwrzUnZhh=RnvSpCQ@mail.gmail.com
On 13 September 2016 at 20:28, Andy Lester <andy@petdance.com> wrote:

>
> On Sep 13, 2016, at 1:25 PM, demerphq <demerphq@gmail.com> wrote:
>
> > I did not search for other examples. I thought it might be best to
> > open a discussion before proceeding on any work.
>
> Not sure what there is to discuss really.  Wrong is wrong. ☺️
>
>
> I took the comment to mean “For all I know, there may be other examples
> elsewhere in the codebase, and it might even be a security hole, but I
> haven’t investigated further, but someone probably should before we just
> patch this and call it done."
>

Ah, good catch. Well, maybe there is a security hole here, I don't know.

But there are a lot of issues with the code as written. In several places
it accesses memory it can't know that we own.

It looks to me like if you called this function with a string which ended
in exactly one colon that we would continue reading until we hit a null or
segfaulted.

What would /then/ happen is not clear.

Yves



-- 
perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About