SECURITY FIX: Buffer overflow in gv_fetchfile()

author: Chip Salzenberg <chip@perl.com> 1997-04-18 00:00:00 +0000
committer: Chip Salzenberg <chip@atlantic.net> 1997-04-18 00:00:00 +0000
commit: 53d9598854cd7b8b1159c1eede92a8c86c413bb6 (patch)
tree: 3e199d04f40ab1c0cd1614a3f7a88f599a097c3c
parent: 83437becac3a89db6e4fbc7e9b794e0d2e203eca (diff)
download: perl-53d9598854cd7b8b1159c1eede92a8c86c413bb6.tar.gz
1 files changed, 12 insertions, 3 deletions
diff --git a/gv.c b/gv.c
index 8bb1f10105..90eee265f6 100644
--- a/gv.c
+++ b/gv.c
@@ -58,15 +58,24 @@ GV *
 gv_fetchfile(name)
 char *name;
 {
-    char tmpbuf[1200];
+    char smallbuf[256];
+    char *tmpbuf;
     STRLEN tmplen;
     GV *gv;
 
-    sprintf(tmpbuf, "_<%s", name);
-    tmplen = strlen(tmpbuf);
+    tmplen = strlen(name) + 2;
+    if (tmplen < sizeof smallbuf)
+	tmpbuf = smallbuf;
+    else
+	New(603, tmpbuf, tmplen + 1, char);
+    tmpbuf[0] = '_';
+    tmpbuf[1] = '<';
+    strcpy(tmpbuf + 2, name);
     gv = *(GV**)hv_fetch(defstash, tmpbuf, tmplen, TRUE);
     if (!isGV(gv))
 	gv_init(gv, defstash, tmpbuf, tmplen, FALSE);
+    if (tmpbuf != smallbuf)
+	Safefree(tmpbuf);
     sv_setpv(GvSV(gv), name);
     if (*name == '/' && (instr(name, "/lib/") || instr(name, ".pm")))
 	GvMULTI_on(gv);
author	Chip Salzenberg <chip@perl.com>	1997-04-18 00:00:00 +0000
committer	Chip Salzenberg <chip@atlantic.net>	1997-04-18 00:00:00 +0000
commit	53d9598854cd7b8b1159c1eede92a8c86c413bb6 (patch)
tree	3e199d04f40ab1c0cd1614a3f7a88f599a097c3c
parent	83437becac3a89db6e4fbc7e9b794e0d2e203eca (diff)
download	perl-53d9598854cd7b8b1159c1eede92a8c86c413bb6.tar.gz