develooper Front page | perl.perl5.porters | Postings from September 2016

Re: [perl #129267] Possible string overrun with invalid len in gv.c

Thread Previous | Thread Next
From:
demerphq
Date:
September 13, 2016 19:55
Subject:
Re: [perl #129267] Possible string overrun with invalid len in gv.c
Message ID:
CANgJU+XUJjSAcJbgWCJNuUOKhSd==uRt5-xpJn9kT8aZc0_15g@mail.gmail.com
On 13 September 2016 at 21:29, Father Chrysostomos via RT
<perlbug-followup@perl.org> wrote:
> On Tue Sep 13 11:54:55 2016, demerphq wrote:
>> On 13 September 2016 at 20:28, Andy Lester <andy@petdance.com> wrote:
>>
>> >
>> > On Sep 13, 2016, at 1:25 PM, demerphq <demerphq@gmail.com> wrote:
>> >
>> > > I did not search for other examples. I thought it might be best to
>> > > open a discussion before proceeding on any work.
>> >
>> > Not sure what there is to discuss really.  Wrong is wrong. ☺️
>> >
>> >
>> > I took the comment to mean “For all I know, there may be other examples
>> > elsewhere in the codebase, and it might even be a security hole, but I
>> > haven’t investigated further, but someone probably should before we just
>> > patch this and call it done."
>> >
>>
>> Ah, good catch. Well, maybe there is a security hole here, I don't know.
>>
>> But there are a lot of issues with the code as written. In several places
>> it accesses memory it can't know that we own.
>>
>> It looks to me like if you called this function with a string which ended
>> in exactly one colon that we would continue reading until we hit a null or
>> segfaulted.
>>
>> What would /then/ happen is not clear.
>
> This is an API, function, right?  So we can add a test to XS::APItest?

I think so yes.

FWIW, I accidentally pushed my patches before tests completed, and the
tests failed, so i have reverted to see why. Sorry for the commit
noise.

Yves


-- 
perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About