[PATCH] perlarray strange behaviour

Tue, 25 Jun 2002 02:30:36 -0700 


i found some strange behaviour in perlarray.pmc
Consider this code: 

        new P0, .PerlArray, 2 # P0[2]
        set P0, 2, 1 # P0[2] = 1
        set P0, -4, 1 # P0[-4] = 1 

        # Above runs some strange code: 
        # ix += SELF->cache.int_val 
        # where ix is our key
        # in our case:
        # ix = -4 + 2 , ix is now -2 
        # lets se if we have anything at key -2
        
        set I0, P0, -2
        print I0
        print "\n"
        
        end

output:
1


This behaviour could be exploitable since it's easy to overflow the heap        

I've included a fast hack to stop this leakage..


/josef  


--- perlarray.pmc.orig  Tue Jun 25 11:23:40 2002
+++ perlarray.pmc       Tue Jun 25 11:23:14 2002
@@ -100,7 +100,7 @@
             resize_array(interpreter, SELF, ix+1);
         }
         if (ix < 0) {
-            ix += SELF->cache.int_val;
+            ix = SELF->cache.int_val;
         }
 
         array = ((Buffer *) SELF->data)->bufstart;
@@ -128,7 +128,7 @@
             resize_array(interpreter, SELF, ix+1);
         }
         if (ix < 0) {
-            ix += SELF->cache.int_val;
+            ix = SELF->cache.int_val;
         }
 
         array = ((Buffer *) SELF->data)->bufstart;
@@ -156,7 +156,7 @@
             resize_array(interpreter, SELF, ix+1);
         }
         else if (ix < 0) {
-            ix += SELF->cache.int_val;
+            ix = SELF->cache.int_val;
         }
 
         array = ((Buffer *) SELF->data)->bufstart;
@@ -180,7 +180,7 @@
             resize_array(interpreter, SELF, ix+1);
         }
         else if (ix < 0) {
-            ix += SELF->cache.int_val;
+            ix = SELF->cache.int_val;
         }
 
         array = ((Buffer *) SELF->data)->bufstart;
@@ -236,10 +236,10 @@
 
         if (ix >= SELF->cache.int_val) {
             resize_array(interpreter, SELF, ix+1);
-        }
+       }
         else if (ix < 0) {
-            ix += SELF->cache.int_val;
-        }
+            ix = SELF->cache.int_val;
+       }
 
         array = ((Buffer *) SELF->data)->bufstart;
         element = array[ix];
@@ -284,7 +284,7 @@
             resize_array(interpreter, SELF, ix+1);
         }
         else if (ix < 0) {
-            ix += SELF->cache.int_val;
+            ix = SELF->cache.int_val;
         }
 
         array = ((Buffer *) SELF->data)->bufstart;
@@ -328,7 +328,7 @@
             resize_array(interpreter, SELF, ix+1);
         }
         else if (ix < 0) {
-            ix += SELF->cache.int_val;
+            ix = SELF->cache.int_val;
         }
 
         array = ((Buffer *) SELF->data)->bufstart;
@@ -356,7 +356,7 @@
             resize_array(interpreter, SELF, ix+1);
         }
         else if (ix < 0) {
-            ix += SELF->cache.int_val;
+            ix = SELF->cache.int_val;
         }
 
         if (src_key) src = src->vtable->get_pmc_keyed(INTERP, src, src_key);

Reply via email to