diff options
| author | Andy Dougherty <doughera@lafayette.edu> | 2012-09-27 09:52:18 -0400 |
|---|---|---|
| committer | Ricardo Signes <rjbs@cpan.org> | 2012-10-17 11:57:57 -0400 |
| commit | b11b0d3ef18a35595a07a06c91fa4f27c9cacf5b (patch) | |
| tree | d991fb0ce9d36058c0504e2bccb715afee0d031a | |
| parent | 495a70389718bcaa3f03781e37c0c82e8508f0fd (diff) | |
| download | perl-b11b0d3ef18a35595a07a06c91fa4f27c9cacf5b.tar.gz | |
avoid calling memset with a negative count
Poorly written perl code that allows an attacker to specify the count to
perl's 'x' string repeat operator can already cause a memory exhaustion
denial-of-service attack. A flaw in versions of perl before 5.15.5 can
escalate that into a heap buffer overrun; coupled with versions of glibc
before 2.16, it possibly allows the execution of arbitrary code.
The flaw addressed to this commit has been assigned identifier
CVE-2012-5195.
| -rw-r--r-- | util.c | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -3416,6 +3416,9 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I { PERL_ARGS_ASSERT_REPEATCPY; + if (count < 0) + Perl_croak_nocontext("%s",PL_memory_wrap); + if (len == 1) memset(to, *from, count); else if (count) { |