New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Perl crash due to wrong delimiter in PATH env #11500
Comments
From karthik.rajagopalan@schrodinger.comHi, The following script access the dirTableA beyond the array limit and @path = ( "C:/Windows/system32", ); foreach my $dir(@path) For second component of @path, the index in vdir.h is -51 and This is seen in all platforms of Windows and we observed the crash -Karthik |
From karthik.rajagopalan@schrodinger.com0001-Restrict-the-dirTableA-access-between-0-and-drivecou.patchFrom 56777d9085e995e6cc41020db088d02b444914ac Mon Sep 17 00:00:00 2001
From: Karthik Rajagopalan <rajagopa@pauline.schrodinger.com>
Date: Thu, 14 Jul 2011 13:29:26 -0400
Subject: [PATCH 1/2] Restrict the dirTableA access between 0 and
drivecount-1.
In situation where PATH env is set with wrong delimiter say -
c:\\component1;c:\\component2;.:c:/component1:c:/component2
the code in perl which check if an executable exist in each component
of PATH env would crash. Though the delimiter need to be fixed, it is better
to avoid perl crash due to invalid access for wrong input.
---
win32/vdir.h | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/win32/vdir.h b/win32/vdir.h
index db7ec84..2b36635 100644
--- a/win32/vdir.h
+++ b/win32/vdir.h
@@ -83,7 +83,15 @@ protected:
};
inline const char *GetDirA(int index)
{
- char *ptr = dirTableA[index];
+ char *ptr = NULL;
+
+ // Limit the access to dirTableA between
+ // 0 and driveCount-1. This can result
+ // in crash if PATH env is set with wrong
+ // delimiter otherwise - Karthik Rajagopalan
+ if(index >=0 && index < driveCount)
+ ptr = dirTableA[index];
+
if (!ptr) {
/* simulate the existance of this drive */
ptr = szLocalBufferA;
--
1.7.5
|
karthik.rajagopalan@schrodinger.com - Status changed from 'new' to 'open' |
karthik.rajagopalan@schrodinger.com - Status changed from 'open' to 'new' |
From @steve-m-hayThanks for the patch. I haven't had a chance to try it yet, but from |
The RT System itself - Status changed from 'new' to 'open' |
From rajagopa@schrodinger.comHi Shay, On Wed Aug 10 14:56:18 2011, shay wrote:
Yes, I will submit the revised patch for it today. -Karthik |
From @cpansproutOn Thu Aug 11 05:11:36 2011, kartlee wrote:
Did you ever get a chance to revise the patch? |
From rajagopa@schrodinger.comHi,
This really slipped out of my list. I am really sorry for the delay. I -Karthik |
From rajagopa@schrodinger.comHi, I now attached the patch for this case. Please review and let me know -Karthik |
From rajagopa@schrodinger.com0001-Restrict-the-dirTableA-and-dirTableW-access-between-.patchFrom 32bc7a6d53758eed943047a2ab3cfc7ef4337d02 Mon Sep 17 00:00:00 2001
From: Karthik Rajagopalan <rajagopa@francesca.schrodinger.com>
Date: Mon, 31 Oct 2011 17:24:39 -0400
Subject: [PATCH] Restrict the dirTableA and dirTableW access between 0 and
driveCount -1.
In situation where PATH env is set with wrong delimiter say -
"c:\\component1;c:\\component2;.:c:/component1:c:/component2"
the code in perl which check if an executable exist in each component
of PATH env would crash. Though the delimiter need to be fixed, it is better
to avoid perl crash due to invalid access for wrong input.
---
win32/vdir.h | 24 ++++++++++++++++++++----
1 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/win32/vdir.h b/win32/vdir.h
index db7ec84..4e6b615 100644
--- a/win32/vdir.h
+++ b/win32/vdir.h
@@ -83,7 +83,15 @@ protected:
};
inline const char *GetDirA(int index)
{
- char *ptr = dirTableA[index];
+ char *ptr = NULL;
+
+ // Limit the access to dirTableA between
+ // 0 and driveCount-1. This can result
+ // in crash if PATH env is set with wrong
+ // delimiter otherwise - Karthik Rajagopalan
+ if(index >=0 && index < driveCount)
+ ptr = dirTableA[index];
+
if (!ptr) {
/* simulate the existance of this drive */
ptr = szLocalBufferA;
@@ -96,7 +104,15 @@ protected:
};
inline const WCHAR *GetDirW(int index)
{
- WCHAR *ptr = dirTableW[index];
+ WCHAR *ptr = NULL;
+
+ // Limit the access to dirTableW between
+ // 0 and driveCount-1. This can result
+ // in crash if PATH env is set with wrong
+ // delimiter otherwise - Karthik Rajagopalan
+ if(index >=0 && index < driveCount)
+ ptr = dirTableW[index];
+
if (!ptr) {
/* simulate the existance of this drive */
ptr = szLocalBufferW;
@@ -192,7 +208,7 @@ int VDir::SetDirA(char const *pPath, int index)
char chr, *ptr;
int length = 0;
WCHAR wBuffer[MAX_PATH+1];
- if (index < driveCount && pPath != NULL) {
+ if (index >= 0 && index < driveCount && pPath != NULL) {
length = strlen(pPath);
pMem->Free(dirTableA[index]);
ptr = dirTableA[index] = (char*)pMem->Malloc(length+2);
@@ -262,7 +278,7 @@ int VDir::SetDirW(WCHAR const *pPath, int index)
{
WCHAR chr, *ptr;
int length = 0;
- if (index < driveCount && pPath != NULL) {
+ if (index >= 0 && index < driveCount && pPath != NULL) {
length = wcslen(pPath);
pMem->Free(dirTableW[index]);
ptr = dirTableW[index] = (WCHAR*)pMem->Malloc((length+2)*2);
--
1.7.7.1
|
From @cpansproutOn Mon Oct 31 14:33:16 2011, kartlee wrote:
Steve Hay: Could you review the new patch in this ticket? -- Father Chrysostomos |
From [Unknown Contact. See original ticket]On Mon Oct 31 14:33:16 2011, kartlee wrote:
Steve Hay: Could you review the new patch in this ticket? -- Father Chrysostomos |
From @steve-m-hayOn Mon Oct 31 14:47:26 2011, sprout wrote:
Thanks for the new patch, but I had been thinking of adding extra checks However, on closer inspection, I'm not sure that the fix is ideal anyway. I've run your example script with several different perl builds (without Stepping through it again in the debugger with your patch, it now if (!ptr) { which produces a garbage 'drive' in the ptr array (think: which ASCII Perhaps GetDirA should just return NULL if index is out of bounds? But |
From @rjbsSteve, do you have any news on this? |
From @cpansproutOn Thu Mar 22 18:50:14 2012, rjbs wrote:
This seems like an appropriate time for me to say why I made it a I made it a blocker because it was a patch I couldn’t review, and it Since then, Steve Hay has pointed out problems with (both iterations of) So, I don’t think it needs to block the release of 5.16. -- Father Chrysostomos |
From @steve-m-hayOn Thu Mar 22 20:27:26 2012, sprout wrote:
Sorry, I don't have any more news on this really. I was also waiting for I agree that it shouldn't be a blocker, though. It's not a new The crash arises because the wrong path separator has been used -- ":" The following one-liner reproduces the crash: perl -e "-e '.:'" as do plenty of other things with garbage where a drive letter was perl -e "-e '1:'" but it really only arose because of the wrong path separator having been |
From @rjbs* Steve Hay via RT <perlbug-followup@perl.org> [2012-03-23T13:49:17]
Thanks, guys. Unblockered. -- |
From @jkeenanOn Fri Mar 23 10:49:16 2012, shay wrote:
I don't get these segfaults with Perl 5.16.0 on Darwin. ##### Is it possible this was a Win32-only bug? Thank you very much. |
From @bulk88On Fri Mar 23 10:49:16 2012, shay wrote:
Can not reproduce with ActivePerl 5.10 or 5.17.7. I ran "perl -e "-e |
From @steve-m-hayI'm not sure I ever saw it crash, actually -- but if you step through it in On 3 February 2013 20:59, bulk88 via RT <perlbug-followup@perl.org> wrote:
|
@steve-m-hay can this ticket be closed? The 2nd patch was provided: #11500 (comment) |
Migrated from rt.perl.org#94846 (status was 'open')
Searchable as RT94846$
The text was updated successfully, but these errors were encountered: