develooper Front page | perl.perl5.porters | Postings from May 2018

[perl #133169] pack() treats non hex-digits with the "H*" template

Thread Next
Thomas Lehmann
May 4, 2018 22:00
[perl #133169] pack() treats non hex-digits with the "H*" template
Message ID:
# New Ticket Created by  Thomas Lehmann 
# Please include the string:  [perl #133169]
# in the subject line of all future correspondence about this issue. 
# <URL: >

This is a bug report for perl from,
generated with the help of perlbug 1.40 running under perl 5.24.1.

pack() treats non hex-digits with the "H*" template

The `pack()` function can convert a string into its binary 
representation by applying rules of a "template" string.

$ perl -e 'print(pack("H*", "6d6568") . "\n")'

$ perl -e 'print(pack("H*", "6d6568goofed") . "\n")'

$ perl -e 'print(pack("H*", "6d6568goofed") . "\n")' | hexdump -C
00000000  6d 65 68 08 8f ed 0a                    |meh....|

It's obviously is stupidly calculating the ASCII char's values by using 
its modulo 16 for the HEX digit index:

g  => 00
h  => 10
gg => 00
gh => 01

There seems to be no validation/santitization being applied here.

Expected: the function should fail/die in such a case or return undef.

This behavior applies to multiple Perl (5) versions.

[Please do not change anything below this line]
Site configuration information for perl 5.24.1:

Configured by Debian Project at Tue Sep 12 16:37:26 UTC 2017.

Summary of my perl5 (revision 5 version 24 subversion 1) configuration:

     osname=linux, osvers=3.16.0, archname=x86_64-linux-gnu-thread-multi
     uname='linux localhost 3.16.0 #1 smp debian 3.16.0 x86_64 gnulinux '
     config_args='-Dusethreads -Duselargefiles -Dcc=x86_64-linux-gnu-gcc 
-Dcpp=x86_64-linux-gnu-cpp -Dld=x86_64-linux-gnu-gcc -Dccflags=-DDEBIAN 
-Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 
-fstack-protector-strong -Wformat -Werror=format-security -Dldflags= 
-Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC 
-Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.24 
-Darchlib=/usr/lib/x86_64-linux-gnu/perl/5.24 -Dvendorprefix=/usr 
-Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.24.1 
-Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 
-Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 
-Dusesitecustomize -Duse64bitint -Dman1ext=1 -Dman3ext=3perl
-Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio 
-Uusenm -Ui_libutil -Uversiononly -DDEBUGGING=-g -Doptimize=-O2 -dEs 
     hint=recommended, useposix=true, d_sigaction=define
     useithreads=define, usemultiplicity=define
     use64bitint=define, use64bitall=define, uselongdouble=undef
     usemymalloc=n, bincompat5005=undef
     cc='x86_64-linux-gnu-gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE 
-DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include 
     optimize='-O2 -g',
     cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv 
-fno-strict-aliasing -pipe -I/usr/local/include'
     ccversion='', gccversion='6.3.0 20170516', gccosandvers=''
     intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, 
     d_longlong=define, longlongsize=8, d_longdbl=define, 
longdblsize=16, longdblkind=3
     ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', 
     alignbytes=8, prototype=define
   Linker and Libraries:
     ld='x86_64-linux-gnu-gcc', ldflags =' -fstack-protector-strong 
     libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/6/include-fixed 
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib 
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
     libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
     perllibs=-ldl -lm -lpthread -lc -lcrypt, so=so, useshrplib=true,
   Dynamic Linking:
     dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
     cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib 

Locally applied patches:
     DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS 
default for modules installed from CPAN.
     DEBPKG:debian/db_file_ver - Remove 
overly restrictive DB_File version check.
     DEBPKG:debian/doc_info - Replace generic man(1) instructions with 
Debian-specific information.
     DEBPKG:debian/enc2xs_inc - Tweak 
enc2xs to follow symlinks and ignore missing @INC directories.
     DEBPKG:debian/errno_ver - Remove 
Errno version check due to upgrade problems with long-running processes.
     DEBPKG:debian/libperl_embed_doc - 
Note that libperl-dev package is required for embedded linking
     DEBPKG:fixes/respect_umask - Respect umask during installation
     DEBPKG:debian/writable_site_dirs - Set umask approproately for site 
install directories
     DEBPKG:debian/extutils_set_libperl_path - EU:MM: set location of 
libperl.a under /usr/lib
     DEBPKG:debian/no_packlist_perllocal - Don't install .packlist or 
perllocal.pod for perl or vendor
     DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the 
binary targets.
     DEBPKG:debian/instmodsh_doc - Debian policy doesn't install 
.packlist files for core or vendor.
     DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH 
as per Debian policy.
     DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to 
/etc/perl/Net as /usr may not be writable.
     DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
     DEBPKG:debian/prune_libs - Prune the 
list of libraries wanted to what we actually need.
     DEBPKG:fixes/net_smtp_docs - [ #36038] Document the Net::SMTP 'Port' option
     DEBPKG:debian/perlivp - Make perlivp 
skip include directories in /usr/local
     DEBPKG:debian/deprecate-with-apt - 
Point users to Debian packages of deprecated core modules
     DEBPKG:debian/squelch-locale-warnings - Squelch locale warnings in Debian package 
maintainer scripts
     DEBPKG:debian/skip-upstream-git-tests - Skip tests specific to the 
upstream Git repository
     DEBPKG:debian/patchlevel - List 
packaged patches for 5.24.1-3+deb9u2 in patchlevel.h
     DEBPKG:debian/skip-kfreebsd-crash - 
[perl #96272] Skip a crashing test case in t/op/threads.t on GNU/kFreeBSD
     DEBPKG:fixes/document_makemaker_ccflags - [ #68613] Document that 
CCFLAGS should include $Config{ccflags}
     DEBPKG:debian/find_html2text - 
Configure CPAN::Distribution with correct name of html2text
     DEBPKG:debian/perl5db-x-terminal-emulator.patch - Invoke x-terminal-emulator rather than 
xterm in
     DEBPKG:debian/cpan-missing-site-dirs - Fix CPAN::FirstTime defaults with 
nonexisting site dirs if a parent is writable
     DEBPKG:fixes/memoize_storable_nstore - [ #77790] Memoize::Storable: respect 'nstore' 
option not respected
     DEBPKG:debian/regen-skip - Skip a regeneration check in unrelated 
git repositories
     DEBPKG:debian/makemaker-pasthru - 
Pass LD settings through to subdirectories
     DEBPKG:debian/makemaker-manext - 
Make EU::MakeMaker honour MANnEXT settings in generated manpage headers
     DEBPKG:debian/devel-ppport-reproducibility - Sort the list of XS code files when 
generating RealPPPort.xs
     DEBPKG:debian/encode-unicode-bom-doc - Document Debian backport of 
Encode::Unicode fix
     DEBPKG:debian/kfreebsd-softupdates - 
Work around Debian Bug#796798
     DEBPKG:fixes/autodie-scope - Fix a 
scoping issue with "no autodie" and the "system" sub
     DEBPKG:fixes/crosscompile-no-targethost - [23695c0] [perl #127234] 
Fix the Configure escape with usecrosscompile but no targethost
     DEBPKG:fixes/memoize-pod - [ #89441] Fix POD errors in 
     DEBPKG:fixes/ok-pod - Added encoding for pod.
     DEBPKG:debian/hurd-softupdates - Fix 
t/op/stat.t failures on hurd
     DEBPKG:fixes/nntp_docs - Net::NNTP: 
Correct innd/nnrpd confusion in relation to Reader option
     DEBPKG:fixes/math_complex_doc_great_circle - [ #114104] Math::Trig: clarify 
definition of great_circle_midpoint
     DEBPKG:fixes/math_complex_doc_see_also - [ #114105] Math::Trig: add 
missing SEE ALSO
     DEBPKG:fixes/math_complex_doc_angle_units - [ #114106] Math::Trig: 
document angle units
     DEBPKG:fixes/cpan_web_link - CPAN: 
Add link to main CPAN web site
     DEBPKG:fixes/time_piece_doc - 
Time::Piece: Improve documentation for add_months and add_years
     DEBPKG:fixes/perlbug-refactor - 
[perl #128020] perlbug: Refactor duplicated file reading code
     DEBPKG:fixes/perlbug-linewrap - 
[perl #128020] perlbug: wrap overly long lines
     DEBPKG:fixes/hurd_sigaction - 
[d54f4ed] ext/POSIX/t/sigaction.t: Skip uid and pid tests on GNU/Hurd
     DEBPKG:fixes/hurd_hints - [4694301] 
[perl #128279] Modify hints for Hurd per Debian ticket 825020.
     DEBPKG:fixes/extutils-parsexs-reproducibility - [perl #128517] Make the output of ExtUtils::ParseXS 
     DEBPKG:debian/CVE-2016-1238/sitecustomize-in-etc - Look for in /etc/perl rather than sitelib on Debian systems
     DEBPKG:debian/CVE-2016-1238/test-suite-without-dot - [perl #127810] 
Patch unit tests to explicitly insert "." into @INC when needed.
     DEBPKG:debian/CVE-2016-1238/eumm-without-dot - [perl #127810] Add 
PERL_USE_UNSAFE_INC support to EU::MM for fortify_inc support.
     DEBPKG:debian/CVE-2016-1238/cpan-without-dot - [perl #127810] Set 
PERL_USE_UNSAFE_INC for cpan usage
     DEBPKG:debian/document_inc_removal - Document in perlvar that we 
remove '.' from @INC by default
     DEBPKG:fixes/extutils_makemaker_reproducible - Make 
perllocal.pod files reproducible
     DEBPKG:debian/CVE-2016-1238/remove-inc-test - Remove test for '.' 
in @INC as it might not be
     DEBPKG:fixes/file_path_hurd_errno - File-Path: Fix test failure in 
Hurd due to hard-coded ENOENT
     DEBPKG:debian/hppa_op_optimize_workaround - Temporarily lower the optimization of 
op.c on hppa due to gcc-6 problems
     DEBPKG:fixes/test-builder-warning - 
Silence a 'used only once' warning in Test::Builder
     DEBPKG:fixes/longdblinf-randomness - [dd68853] [perl #130133] Configure: fix garbage filtering with 
80-bit long doubles
     DEBPKG:debian/installman-utf8 - 
Generate man pages with UTF-8 characters
     DEBPKG:fixes/list_assign_leak - [1050723] [perl #130766] avoid a leak in list assign from/to magic 
     DEBPKG:fixes/perlfunc_inc_doc - [a03e9f8] [perl #130832] Documentation fixes for 
'.' possibly no longer being in @INC
     DEBPKG:fixes/file_path_chmod_race - 
[ #121951] Prevent directory chmod race attack.
     DEBPKG:fixes/extutils_file_path_compat - Correct the order of tests 
of chmod(). (#294)
     DEBPKG:debian/customized - Update customized.dat for files patched 
in Debian
     DEBPKG:fixes/getopt-long-1 - 
[ #114999] Fix bug RT#114999
     DEBPKG:fixes/getopt-long-2 - [ #120300] Withdraw part of 
commit 5d9947fb445327c7299d8beb009d609bc70066c0, which tries to 
implement more GNU getopt_long campatibility. GNU
     DEBPKG:fixes/getopt-long-3 - provide a default value for optional 
     DEBPKG:fixes/getopt-long-4 - 
[ #122068] Fix issue #122068.
     DEBPKG:fixes/fbm-instr-crash - [bb152a4] [perl #131575] don't call Perl_fbm_instr() with negative 
     DEBPKG:debian/CVE-2016-1238/base-pm-amends-pt2 - [1afa289] Limit 
dotless-INC effect on with guard:
     DEBPKG:fixes/CVE-2017-12837 - [perl 
#131582] [f7e5417] regcomp [perl #131582]
     DEBPKG:fixes/CVE-2017-12883 - [perl 
#131598] [40b3cda] PATCH: [perl #131598]

@INC for perl 5.24.1:

Environment for perl 5.24.1:
     LD_LIBRARY_PATH (unset)
     LOGDIR (unset)
     PERL_BADLANG (unset)

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About