diff options
| author | Yves Orton <demerphq@gmail.com> | 2016-09-13 21:19:53 +0200 |
|---|---|---|
| committer | Yves Orton <demerphq@gmail.com> | 2016-09-13 21:21:22 +0200 |
| commit | b053c9385f29680bc812db3da64ce5c4d45d0cf7 (patch) | |
| tree | 30edada73f4d886b2caba0359698043b44b39d5e /gv.c | |
| parent | 92b69f6501b4d7351e09c8b1ddd386aa7e1c9cd1 (diff) | |
| download | perl-b053c9385f29680bc812db3da64ce5c4d45d0cf7.tar.gz | |
fix: [perl #129267] Possible string overrun with invalid len in gv.c
Perl_gv_fetchmethod_pvn_flags contains various subtle logic bugs related to parsing
fully qualified method names. In particular if you feed the function a string
which ends with a single colon it will end up accessing memory past the end
of the string. In addition when checking for the second colon in a fully qualified
name we could potentially access memory we dont own, and certainly access memory
not part of the string
Diffstat (limited to 'gv.c')
| -rw-r--r-- | gv.c | 11 |
1 files changed, 6 insertions, 5 deletions
@@ -1009,6 +1009,7 @@ GV * Perl_gv_fetchmethod_pvn_flags(pTHX_ HV *stash, const char *name, const STRLEN len, U32 flags) { const char *nend; + const char * const name_end= name + len; const char *nsplit = NULL; GV* gv; HV* ostash = stash; @@ -1028,15 +1029,15 @@ Perl_gv_fetchmethod_pvn_flags(pTHX_ HV *stash, const char *name, const STRLEN le the error reporting code. */ } - for (nend = name; *nend || nend != (origname + len); nend++) { + for (nend = name; nend < name_end && *nend; nend++) { if (*nend == '\'') { nsplit = nend; name = nend + 1; } - else if (*nend == ':' && *(nend + 1) == ':') { - nsplit = nend++; - name = nend + 1; - } + else if (*nend == ':' && nend+1 < name_end && *(nend + 1) == ':') { + nsplit = nend++; + name = nend + 1; + } } if (nsplit) { if ((nsplit - origname) == 5 && memEQ(origname, "SUPER", 5)) { |