develooper Front page | perl.perl5.porters | Postings from January 2017

[perl #129149] heap-buffer-overflow S_pack_Rec pp_pack.c:3108

From:
Tony Cook via RT
Date:
January 23, 2017 04:06
Subject:
[perl #129149] heap-buffer-overflow S_pack_Rec pp_pack.c:3108
Message ID:
rt-4.0.24-2540-1485144392-1210.129149-15-0@perl.org
On Wed, 07 Sep 2016 17:44:54 -0700, tonyc wrote:
> On Sat Sep 03 07:47:23 2016, dcollinsn@gmail.com wrote:
> > Apologies if this is a dupe. This appears to be a legitimate bug in
> > pack,
> > which may be security-related. It doesn't use the 'p' or 'P' types -
> > it's
> > stuffing 0xFFFFFFFFFFFFFFFF into a char type, and in the process, it
> > gets a
> > libc panic.
> >
> > perl -e 'pack SWFW, 0,0,0,-1'
> ...
> > ==20524== Invalid write of size 1
> > ==20524==    at 0x786A1E: S_pack_rec (pp_pack.c:3108)
> > ==20524==    by 0x7871EE: Perl_packlist (pp_pack.c:1971)
> > ==20524==    by 0x7871EE: Perl_pp_pack (pp_pack.c:3131)
> > ==20524==    by 0x5C9E42: Perl_runops_standard (run.c:41)
> > ==20524==    by 0x47BFFE: S_run_body (perl.c:2525)
> > ==20524==    by 0x47BFFE: perl_run (perl.c:2448)
> > ==20524==    by 0x41FCDE: main (perlmain.c:123)
> 
> This looks like the same bug as security ticket 129149, which I posted
> the attached patch for.

Which has been fixed and your case no longer fails.

Merged your 129187 into 129149 (which is public.)

Tony



---
via perlbug:  queue: perl5 status: pending release
https://rt.perl.org/Ticket/Display.html?id=129149



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About