Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[perl5-dbi/dbi] 36f2a2: Fix a buffer overlfow on an overlong DBD class name

0 views
Skip to first unread message

Tim Bunce

unread,
Aug 2, 2019, 12:30:03 AM8/2/19
to dbi...@perl.org
Branch: refs/heads/master
Home: https://github.com/perl5-dbi/dbi
Commit: 36f2a2c5fea36d7d47d6871e420286643460e71b
https://github.com/perl5-dbi/dbi/commit/36f2a2c5fea36d7d47d6871e420286643460e71b
Author: Petr Písař <ppi...@redhat.com>
Date: 2019-08-01 (Thu, 01 Aug 2019)

Changed paths:
M DBI.xs
M t/02dbidrv.t

Log Message:
-----------
Fix a buffer overlfow on an overlong DBD class name

dbih_setup_handle() in DBI.xs does:

static void
dbih_setup_handle(pTHX_ SV *orv, char *imp_class, SV *parent, SV *imp_datasv)
{
[...]
char imp_mem_name[300];
[...]
strcpy(imp_mem_name, imp_class);
strcat(imp_mem_name, "_mem");
[...]
}

If imp_class argument string value is longer than 300 - strlen("_mem")
- 1 bytes, a data will be written past imp_mem_name[] array. The
imp_class comes from DBD driver class name (DBI::_new_drh ->
_new_handle() -> dbih_setup_handle()).

People usually do not use so long package names (e.g. DBD::ExampleP
calls DBI::_new_drh() in lib/DBD/ExampleP.pm), so the risk is low.

Reproducer:

$ perl -MDBI -e 'DBI::_new_drh(q{x} x 300, {}, 0)'
*** buffer overflow detected ***: perl terminated
Aborted (core dumped)

https://rt.cpan.org/Ticket/Display.html?id=130191


Commit: eaf547a5696b8530b597f82dbb094ff1e3f6713d
https://github.com/perl5-dbi/dbi/commit/eaf547a5696b8530b597f82dbb094ff1e3f6713d
Author: Tim Bunce <Tim....@pobox.com>
Date: 2019-08-01 (Thu, 01 Aug 2019)

Changed paths:
M DBI.xs
M t/02dbidrv.t

Log Message:
-----------
Merge pull request #83 from ppisar/imp_mem_name

Fix a buffer overlfow on an overlong DBD class name


Compare: https://github.com/perl5-dbi/dbi/compare/a0e17557590f...eaf547a5696b
0 new messages