Subject: | Possible buffer overwrite with overlong driver class name |
dbih_setup_handle() in DBI.xs does:
static void
dbih_setup_handle(pTHX_ SV *orv, char *imp_class, SV *parent, SV *imp_datasv)
{
[...]
char imp_mem_name[300];
[...]
strcpy(imp_mem_name, imp_class);
strcat(imp_mem_name, "_mem");
[...]
}
If imp_class argument string value is longer than 300 - strlen("_mem") - 1 bytes, a data will be written past imp_mem_name[] array. The imp_class comes from DBD driver class name (DBI::_new_drh -> _new_handle() -> dbih_setup_handle()).
People usually do not use so long package names (e.g. DBD::ExampleP calls DBI::_new_drh() in lib/DBD/ExampleP.pm), but still it would be great to check the length and report an error.