This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
locale.c: Avoid potential read beyond buffer end
authorKarl Williamson <khw@cpan.org>
Mon, 11 Sep 2017 23:24:00 +0000 (17:24 -0600)
committerKarl Williamson <khw@cpan.org>
Thu, 9 Nov 2017 06:35:36 +0000 (23:35 -0700)
I noticed this flaw by code reading; I doubt that it's exploitable.
foldEQ assumes that both operands are at least as long as its length
parameter.  In this case, it's possible that the codeset returned by
nl_langinfo is shorter than 5, in which case, it would try to access the
extra characters in the heap.  Real codesets tend to be longer than
this, so an attacker would likely have to install a locale with a
made-up codeset whose name is shorter.

Even the C locale is longer: "ANSI_X3.4-1968"

locale.c

index b2eaf4c..a2985f7 100644 (file)
--- a/locale.c
+++ b/locale.c
@@ -3018,8 +3018,10 @@ Perl__is_cur_LC_category_utf8(pTHX_ int category)
                     Safefree(save_ctype_locale);
                 }
 
-                is_utf8 = foldEQ(codeset, STR_WITH_LEN("UTF-8"))
-                        || foldEQ(codeset, STR_WITH_LEN("UTF8"));
+                is_utf8 = (   (   strlen(codeset) == STRLENs("UTF-8")
+                               && foldEQ(codeset, STR_WITH_LEN("UTF-8")))
+                           || (   strlen(codeset) == STRLENs("UTF8")
+                               && foldEQ(codeset, STR_WITH_LEN("UTF8"))));
 
                 DEBUG_L(PerlIO_printf(Perl_debug_log,
                        "\tnllanginfo returned CODESET '%s'; ?UTF8 locale=%d\n",