memory corruption / security bug in sysread,syswrite + patch
Using a negative offset in sysread() gives interesting results.
I get either
assertion botched: OV_MAGIC(op, bucket) == MAGIC
zsh: 22828 abort perl xp1 < /etc/passwd
if the offset is 'mild' or
panic: realloc at xp2 line 1.
if the offset is 'wild'.
Using a negative offset in syswrite() opens up interesting vistas,
like, say, your stack :-)
A patch follows. 'Reasonably' small negative values are accepted,
they count from the end of the data. One possible point of debate:
should that be +1? That is, if the offset is negative, should that
mean 1) at the point 2) after the point? For sysread(), "after" might
sometimes be a better choice?
p5p-msgid: <
199611231705.TAA02671@alpha.hut.fi>
private-msgid: <
199611251946.VAA30459@alpha.hut.fi>
projects / p5sagit/p5-mst-13.2.git / commit