From @andk

Sorry if this is a duplicate, I sent a similar report with perlbug
yesterday but didn't receive it back nor can I find it in the archive.
Maybe mail on that machine was misconfigured.

It's a long standing bug, the following code core dumps with
yesterday's repository perl.

perl -le '
require "MD5.pm";
sub new { bless {}, shift;} # OK if commented
open FH, "/etc/hosts" or die;
my $md5 = new MD5; # OK if MD5->new
print "md5[$md5]\n"; # prints e.g. md5[MD5=HASH(0x80ee280)]
$md5->addfile(*FH); # SEGV
'
md5[MD5=HASH(0x80ed200)]

zsh​: segmentation fault (core dumped)

I have reported this long time ago (no bug ID), you can find the old
postings with this query​:

  http​://www.xray.mpe.mpg.de/cgi-bin/w3glimpse/perl5-porters?query=md5+addfile+hash&errors=0&case=on&maxfiles=100&maxlines=30

--
andreas

From @gsar

On 14 Mar 2000 10​:08​:54 +0100, Andreas J. Koenig wrote​:

Sorry if this is a duplicate, I sent a similar report with perlbug
yesterday but didn't receive it back nor can I find it in the archive.
Maybe mail on that machine was misconfigured.

It's a long standing bug, the following code core dumps with
yesterday's repository perl.

perl -le '
require "MD5.pm";
sub new { bless {}, shift;} # OK if commented
open FH, "/etc/hosts" or die;
my $md5 = new MD5; # OK if MD5->new
print "md5[$md5]\n"; # prints e.g. md5[MD5=HASH(0x80ee280)]
$md5->addfile(*FH); # SEGV
'
md5[MD5=HASH(0x80ed200)]

zsh​: segmentation fault (core dumped)

The C<new MD5> there is being parsed as a subroutine call new('MD5').
So you're effectively doing​:

  bless({},'MD5')->addfile(*FOO);

MD5​::addfile apparently doesn't like that uninitialized fake MD5 object
very much. (You might want to talk to the author of MD5 about that.)

Just never ever use the indirect object form with a bareword name.
This is precisely why we support C<new MD5​::>, which ought to work
fine.

Sarathy
gsar@​ActiveState.com

From @gisle

Gurusamy Sarathy <gsar@​ActiveState.com> writes​:

On 14 Mar 2000 10​:08​:54 +0100, Andreas J. Koenig wrote​:

Sorry if this is a duplicate, I sent a similar report with perlbug
yesterday but didn't receive it back nor can I find it in the archive.
Maybe mail on that machine was misconfigured.

It's a long standing bug, the following code core dumps with
yesterday's repository perl.

perl -le '
require "MD5.pm";
sub new { bless {}, shift;} # OK if commented
open FH, "/etc/hosts" or die;
my $md5 = new MD5; # OK if MD5->new
print "md5[$md5]\n"; # prints e.g. md5[MD5=HASH(0x80ee280)]
$md5->addfile(*FH); # SEGV
'
md5[MD5=HASH(0x80ed200)]

zsh​: segmentation fault (core dumped)

The C<new MD5> there is being parsed as a subroutine call new('MD5').
So you're effectively doing​:

bless({},'MD5')->addfile(*FOO);

MD5​::addfile apparently doesn't like that uninitialized fake MD5 object
very much. (You might want to talk to the author of MD5 about that.)

This patch for Digest​::MD5 should help, but it can still be made to
core dump with code like​:

  perl -MMD5 -e '$a = 3333; $m = bless \$a, "MD5"; $m->add(*foo); print $m'

since we will here try to access memory at address 3333 in order to
verify the signature.

To be real safe I think I would have to hide the pointer in magic.
I'll try to improve it a bit more before uploading a Digest-MD5-2.10.

Perhaps the recommendations in perlxs for how to hide pointers to C
structures should be updated likewise and there be some standard safe
typemap for this kind of thing. Is magic the best way to go?

Regards,
Gisle

Index​: MD5.xs

RCS file​: /home/cvs/aas/perl/mods/md5/MD5.xs,v
retrieving revision 1.24
diff -u -p -u -r1.24 MD5.xs
--- MD5.xs 1999/07/28 10​:38​:50 1.24
+++ MD5.xs 2000/03/16 22​:24​:21
@​@​ -92,10 +92,12 @​@​ static void u2s(U32 u, U8* s)
  ((U32)(*(s+3)) << 24))
#endif

+#define MD5_CTX_SIGNATURE 200003165

/* This stucture keeps the current state of algorithm.
  */
typedef struct {
+ U32 signature; /* safer cast in get_md5_ctx() */
  U32 A, B, C, D; /* current digest */
  U32 bytes_low; /* counts bytes in message */
  U32 bytes_high; /* turn it into a 64-bit counter */
@​@​ -418,8 +420,15 @​@​ MD5Final(U8* digest, MD5_CTX *ctx)

static MD5_CTX* get_md5_ctx(SV* sv)
{
- if (sv_derived_from(sv, "Digest​::MD5"))
- return (MD5_CTX*)SvIV(SvRV(sv));
+ if (SvROK(sv)) {
+ sv = SvRV(sv);
+ if (SvIOK(sv)) {
+ MD5_CTX* ctx = (MD5_CTX*)SvIV(sv);
+ if (ctx && ctx->signature == MD5_CTX_SIGNATURE) {
+ return ctx;
+ }
+ }
+ }
  croak("Not a reference to a Digest​::MD5 object");
  return (MD5_CTX*)0; /* some compilers insist on a return value */
}
@​@​ -515,6 +524,7 @​@​ new(xclass)
  STRLEN my_na;
  char *sclass = SvPV(xclass, my_na);
  New(55, context, 1, MD5_CTX);
+ context->signature = MD5_CTX_SIGNATURE;
  ST(0) = sv_newmortal();
  sv_setref_pv(ST(0), sclass, (void*)context);
  SvREADONLY_on(SvRV(ST(0)));

From [Unknown Contact. See original ticket]

"Gisle" == Gisle Aas <gisle@​aas.no> writes​:
  Gisle> Perhaps the recommendations in perlxs for how to hide
  Gisle> pointers to C structures should be updated likewise and
  Gisle> there be some standard safe typemap for this kind of thing.
  Gisle> Is magic the best way to go?

You want '~' magic, but no, there's no standard typemap for it or any
other magic that I'm aware of.

--
Stephen

"If I claimed I was emporer just cause some moistened bint lobbed a
scimitar at me they'd put me away"