projects / p5sagit/p5-mst-13.2.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6d82b38)
memory corruption / security bug in sysread,syswrite + patch
authorJarkko Hietaniemi <jhi@cc.hut.fi>
Mon, 25 Nov 1996 19:46:31 +0000 (21:46 +0200)
committerChip Salzenberg <chip@atlantic.net>
Tue, 26 Nov 1996 08:48:00 +0000 (20:48 +1200)
commitd7090df90a9cb89c83787d916e40d92a616b146d
treece89517b1eefe81f3a7543208b0b20ebee79dd43tree | snapshot
parent6d82b38436d2a39ffb7413e68ad91495cd645fffcommit | diff
memory corruption / security bug in sysread,syswrite + patch

Using a negative offset in sysread() gives interesting results.
I get either

assertion botched: OV_MAGIC(op, bucket) == MAGIC
zsh: 22828 abort      perl xp1 < /etc/passwd

if the offset is 'mild' or

panic: realloc at xp2 line 1.

if the offset is 'wild'.

Using a negative offset in syswrite() opens up interesting vistas,
like, say, your stack :-)

A patch follows. 'Reasonably' small negative values are accepted,
they count from the end of the data. One possible point of debate:
should that be +1? That is, if the offset is negative, should that
mean 1) at the point 2) after the point? For sysread(), "after" might
sometimes be a better choice?

p5p-msgid: <199611231705.TAA02671@alpha.hut.fi>
private-msgid: <199611251946.VAA30459@alpha.hut.fi>
pod/perlfunc.pod diff | blob | blame | history
pp_sys.c diff | blob | blame | history
Unnamed repository; edit this file to name it for gitweb.