On Sun, Mar 24, 2013 at 10:28:00PM -0400, George Greer wrote:
> v5.17.10-19-g5a04397 Configuration (common) -Accflags="-DPERL_POISON
> -fsanitize=address" -Aldflags="-fsanitize=address" -Dcc=clang
> ----------- ---------------------------------------------------------
> M M
> M M -Duseithreads
> | +--------- -DDEBUGGING
> +----------- no debugging
I build gcc 4.8.0 yesterday and tried out its implementation of address
sanitizer. That found the same problem, and I've pushed what I think is the
fix to smoke-me/nicholas/perlio-ASAN
commit 4ba8a877cc6deeac385b6240aed81c502cfc779d
Author: Nicholas Clark <n...@ccl4.org>
Date: Mon Mar 25 10:20:05 2013 +0100
PerlIO_find_layer should not be using memEQ() off the end of the layer name.
PerlIO_find_layer was using memEQ() to compare the name of the desired layer
with each layer in the array of known layers. However, it was always using
the length of the desired layer for the comparison, whatever the length of
the name it was comparing it with, resulting in out-of-bounds reads.
diff --git a/perlio.c b/perlio.c
index d356a7b..2e5a77d 100644
--- a/perlio.c
+++ b/perlio.c
@@ -811,7 +811,8 @@ PerlIO_find_layer(pTHX_ const char *name, STRLEN len, int
load)
len = strlen(name);
for (i = 0; i < PL_known_layers->cur; i++) {
PerlIO_funcs * const f = PL_known_layers->array[i].funcs;
- if (memEQ(f->name, name, len) && f->name[len] == 0) {
+ const STRLEN this_len = strlen(f->name);
+ if (this_len == len && memEQ(f->name, name, len)) {
PerlIO_debug("%.*s => %p\n", (int) len, name, (void*)f);
return f;
}
Nicholas Clark
