Skip to content

Commit

Permalink
avoid calling memset with a negative count
Browse files Browse the repository at this point in the history 
Poorly written perl code that allows an attacker to specify the count to
perl's 'x' string repeat operator can already cause a memory exhaustion
denial-of-service attack. A flaw in versions of perl before 5.15.5 can
escalate that into a heap buffer overrun; coupled with versions of glibc
before 2.16, it possibly allows the execution of arbitrary code.

The flaw addressed to this commit has been assigned identifier
CVE-2012-5195.
  • Loading branch information
@doughera88 @rjbs
doughera88 authored and rjbs committed Oct 10, 2012
1 parent 3c36332 commit b675304
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions util.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3319,6 +3319,9 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I
{
PERL_ARGS_ASSERT_REPEATCPY;

if (count < 0)
Perl_croak_nocontext("%s",PL_memory_wrap);

if (len == 1)
memset(to, *from, count);
else if (count) {
Expand Down

0 comments on commit b675304

Please sign in to comment.