avoid calling memset with a negative count

doughera88 · rjbs · commit 2709980d5a19 · 2012-10-17T11:47:58.000-04:00
Poorly written perl code that allows an attacker to specify the count to perl's 'x' string repeat operator can already cause a memory exhaustion denial-of-service attack. A flaw in versions of perl before 5.15.5 can escalate that into a heap buffer overrun; coupled with versions of glibc before 2.16, it possibly allows the execution of arbitrary code. The flaw addressed to this commit has been assigned identifier CVE-2012-5195.
diff --git a/util.c b/util.c
@@ -3256,6 +3256,9 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I
 {
     PERL_ARGS_ASSERT_REPEATCPY;
 
+    if (count < 0)
+	Perl_croak_nocontext("%s",PL_memory_wrap);
+
     if (len == 1)
 	memset(to, *from, count);
     else if (count) {

Original file line number	Diff line number	Diff line change
`@@ -3256,6 +3256,9 @@ Perl_repeatcpy(register char to, register const char from, I32 len, register I`
`3256`	`3256`	`{`
`3257`	`3257`	`PERL_ARGS_ASSERT_REPEATCPY;`
`3258`	`3258`
	`3259`	`+ if (count < 0)`
	`3260`	`+ Perl_croak_nocontext("%s",PL_memory_wrap);`
	`3261`	`+`
`3259`	`3262`	`if (len == 1)`
`3260`	`3263`	`memset(to, *from, count);`
`3261`	`3264`	`else if (count) {`