develooper Front page | perl.perl5.porters | Postings from November 2016

[perl #129274] heap-buffer-overflow Perl_sv_vcatpvfn_flags(sv.c:12912)

Tony Cook via RT
November 30, 2016 04:31
[perl #129274] heap-buffer-overflow Perl_sv_vcatpvfn_flags(sv.c:12912)
Message ID:
On Wed, 05 Oct 2016 06:04:14 -0700, hv wrote:
> A shorter test case (failure indicated by "column -1"):
> % perl -le 'print "stat t\$#\x{10}"' | ./miniperl
> $# is no longer supported at - line 1.
> Unrecognized character \x10; marked by <-- HERE after stat t$#<-- HERE
> near column -1 at - line 1.
>  %
> This is a lexer issue that I do not have sufficient knowledge to fix:
> at the point toke.c:4910 wants to report that \x{10} is an
> unrecognized character, PL_linestart is already pointing at the
> following line. This was advanced by S_intuit_method calling
> skipspace() at the '#' after seeing the '$', which skipspace then
> treated as a comment.
> I don't think this is likely to be a security concern.

I agree, so I've move the ticket to the public queue.

Treating the # immediately following the $ as a comment in
intuit_method() strikes me as a bug in itself, which I think
the attached fixes.

I don't think this fixes the base issue though - I'm not sure
how to fix that, perhaps intuit_method() should be restoring


via perlbug:  queue: perl5 status: open Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About