avoid calling memset with a negative count

Poorly written perl code that allows an attacker to specify the count to perl's 'x' string repeat operator can already cause a memory exhaustion denial-of-service attack. A flaw in versions of perl before 5.15.5 can escalate that into a heap buffer overrun; coupled with versions of glibc before 2.16, it possibly allows the execution of arbitrary code. The flaw addressed to this commit has been assigned identifier CVE-2012-5195.
author: Andy Dougherty <doughera@lafayette.edu> 2012-09-27 09:52:18 -0400
committer: Ricardo Signes <rjbs@cpan.org> 2012-10-10 07:48:13 -0400
commit: b675304e3fdbcce3ef853b06b6ebe870d99faa7e (patch)
tree: 5239f33a5896b4968817ef25a5af9076d6caf9d2
parent: 3c363322472ebbba6cfcdd732a52f7203bbcf9b9 (diff)
download: perl-b675304e3fdbcce3ef853b06b6ebe870d99faa7e.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/util.c b/util.c
index 0ea39c619e..230211ecb4 100644
--- a/util.c
+++ b/util.c
@@ -3319,6 +3319,9 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I
 {
     PERL_ARGS_ASSERT_REPEATCPY;
 
+    if (count < 0)
+	Perl_croak_nocontext("%s",PL_memory_wrap);
+
     if (len == 1)
 	memset(to, *from, count);
     else if (count) {
author	Andy Dougherty <doughera@lafayette.edu>	2012-09-27 09:52:18 -0400
committer	Ricardo Signes <rjbs@cpan.org>	2012-10-10 07:48:13 -0400
commit	b675304e3fdbcce3ef853b06b6ebe870d99faa7e (patch)
tree	5239f33a5896b4968817ef25a5af9076d6caf9d2
parent	3c363322472ebbba6cfcdd732a52f7203bbcf9b9 (diff)
download	perl-b675304e3fdbcce3ef853b06b6ebe870d99faa7e.tar.gz