develooper Front page | perl.perl5.porters | Postings from September 2016

[perl #129267] Possible string overrun with invalid len in gv.c

Thread Previous | Thread Next
From:
Todd Rinaldo via RT
Date:
September 13, 2016 18:56
Subject:
[perl #129267] Possible string overrun with invalid len in gv.c
Message ID:
rt-4.0.24-20750-1473792958-1292.129267-15-0@perl.org
On Tue Sep 13 11:51:18 2016, demerphq wrote:

> Well, that fixes /one/ issue. But I think there are more. I was
> putting together a patch like this:
> 
> $ git diff gv.c
> diff --git a/gv.c b/gv.c
> index 1bc8bf2..23700a0 100644
> --- a/gv.c
> +++ b/gv.c
> @@ -1009,6 +1009,7 @@ GV *
>  Perl_gv_fetchmethod_pvn_flags(pTHX_ HV *stash, const char *name,
> const STRLEN len, U32 flags)
>  {
>      const char *nend;
> +    const char * const name_end= name + len;
s/char * const/char */

>      const char *nsplit = NULL;
>      GV* gv;
>      HV* ostash = stash;
> @@ -1028,15 +1029,15 @@ Perl_gv_fetchmethod_pvn_flags(pTHX_ HV *stash,
> const char *name, const STRLE
>            the error reporting code.  */
>      }
> 
> -    for (nend = name; *nend || nend != (origname + len); nend++) {
> +    for (nend = name; nend < name_end && *nend; nend++) {
>         if (*nend == '\'') {
>             nsplit = nend;
>             name = nend + 1;
I assume you changed <= to < to address this? It's unclear to me the effects of name being an empty string.


>         }
> -       else if (*nend == ':' && *(nend + 1) == ':') {
> -           nsplit = nend++;
> -           name = nend + 1;
> -       }
> +        else if (*nend == ':' && nend+1 < name_end && *(nend + 1) == ':') {
> +            nsplit = nend++;
> +            name = nend + 1;
> +        }
>      }
>      if (nsplit) {
>         if ((nsplit - origname) == 5 && memEQ(origname, "SUPER", 5)) {
> 
> 
> Although I will probably follow it will another patch to rename
> "nend".
> 
> Also, somewhat concerning is the comment right above this function:
> 
> /* Don't merge this yet, as it's likely to get a len parameter, and
> possibly
>    even a U32 hash */
> 
> Sigh.
> 
> Yves




---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=129267

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About