develooper Front page | perl.perl5.porters | Postings from September 2016

[perl #129267] Possible string overrun with invalid len in gv.c

Thread Previous | Thread Next
From:
Father Chrysostomos via RT
Date:
September 13, 2016 19:30
Subject:
[perl #129267] Possible string overrun with invalid len in gv.c
Message ID:
rt-4.0.24-20750-1473794981-841.129267-15-0@perl.org
On Tue Sep 13 11:54:55 2016, demerphq wrote:
> On 13 September 2016 at 20:28, Andy Lester <andy@petdance.com> wrote:
> 
> >
> > On Sep 13, 2016, at 1:25 PM, demerphq <demerphq@gmail.com> wrote:
> >
> > > I did not search for other examples. I thought it might be best to
> > > open a discussion before proceeding on any work.
> >
> > Not sure what there is to discuss really.  Wrong is wrong. ☺️
> >
> >
> > I took the comment to mean “For all I know, there may be other examples
> > elsewhere in the codebase, and it might even be a security hole, but I
> > haven’t investigated further, but someone probably should before we just
> > patch this and call it done."
> >
> 
> Ah, good catch. Well, maybe there is a security hole here, I don't know.
> 
> But there are a lot of issues with the code as written. In several places
> it accesses memory it can't know that we own.
> 
> It looks to me like if you called this function with a string which ended
> in exactly one colon that we would continue reading until we hit a null or
> segfaulted.
> 
> What would /then/ happen is not clear.

This is an API, function, right?  So we can add a test to XS::APItest?


-- 

Father Chrysostomos


---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=129267

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About