Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix a buffer overlfow on an overlong DBD class name
dbih_setup_handle() in DBI.xs does: static void dbih_setup_handle(pTHX_ SV *orv, char *imp_class, SV *parent, SV *imp_datasv) { [...] char imp_mem_name[300]; [...] strcpy(imp_mem_name, imp_class); strcat(imp_mem_name, "_mem"); [...] } If imp_class argument string value is longer than 300 - strlen("_mem") - 1 bytes, a data will be written past imp_mem_name[] array. The imp_class comes from DBD driver class name (DBI::_new_drh -> _new_handle() -> dbih_setup_handle()). People usually do not use so long package names (e.g. DBD::ExampleP calls DBI::_new_drh() in lib/DBD/ExampleP.pm), so the risk is low. Reproducer: $ perl -MDBI -e 'DBI::_new_drh(q{x} x 300, {}, 0)' *** buffer overflow detected ***: perl terminated Aborted (core dumped) https://rt.cpan.org/Ticket/Display.html?id=130191
- Loading branch information