Protect against pack/unpack repeat count overflows,

based on:
To: Brian Keefer <mgomes@cwix.com>
Cc: perl5-porters@perl.org
Subject: Re: [ID 19990806.001] Core dump with obfuscated code
Message-ID: <14250.27711.769942.100675@localhost.frii.com>

p4raw-id: //depot/cfgperl@3928

diff --git a/pod/perldiag.pod b/pod/perldiag.pod
index 8e686ba..a068427 100644 (file)
--- a/pod/perldiag.pod
+++ b/pod/perldiag.pod
@@ -87,6 +87,16 @@ See L<perlfunc/pack>.
 checksumming process loses information, and you can't go the other
 way.  See L<perlfunc/unpack>.
 
+=item Repeat count in pack overflows
+
+(F) You can't specify a repeat count so large that it overflows
+your signed integers.  See L<perlfunc/pack>.
+
+=item Repeat count in unpack overflows
+
+(F) You can't specify a repeat count so large that it overflows
+your signed integers.  See L<perlfunc/unpack>.
+
 =item /%s/: Unrecognized escape \\%c passed through
 
 (W) You used a backslash-character combination which is not recognized

diff --git a/pp.c b/pp.c
index 8437e5b..a020f54 100644 (file)
--- a/pp.c
+++ b/pp.c
@@ -3350,8 +3350,11 @@ PP(pp_unpack)
        }
        else if (isDIGIT(*pat)) {
            len = *pat++ - '0';
-           while (isDIGIT(*pat))
+           while (isDIGIT(*pat)) {
                len = (len * 10) + (*pat++ - '0');
+               if (len < 0)
+                   Perl_croak(aTHX_ "Repeat count in unpack overflows");
+           }
        }
        else
            len = (datumtype != '@');
@@ -4394,8 +4397,11 @@ PP(pp_pack)
        }
        else if (isDIGIT(*pat)) {
            len = *pat++ - '0';
-           while (isDIGIT(*pat))
+           while (isDIGIT(*pat)) {
                len = (len * 10) + (*pat++ - '0');
+               if (len < 0)
+                   Perl_croak(aTHX_ "Repeat count in pack overflows");
+           }
        }
        else
            len = 1;