Subject: | Fix sv_cache init global-buffer-overflow |
sv_cache = newSVpvn ("", CACHE_SIZE);
must be replaced with
sv_cache = newSVpvn
("\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0", CACHE_SIZE);
40x "\0"
sv_setpvn is not safe to use when the length is longer then string, the
Move(ptr,dptr,len,char) overwrites memory belonging to other variables.
Only asan detected it. See attached patch.
--
Reini Urban
Subject: | Text-CSV_XS-0.93.patch |
diff -bu ./CSV_XS.xs~ ./CSV_XS.xs
--- ./CSV_XS.xs~ 2012-11-19 09:18:05.000000000 -0600
+++ ./CSV_XS.xs 2012-11-26 16:05:43.410586807 -0600
@@ -522,9 +522,8 @@
csv->verbatim = bool_opt ("verbatim");
csv->auto_diag = bool_opt ("auto_diag");
- sv_cache = newSVpvn ("", CACHE_SIZE);
+ sv_cache = newSVpvn ("\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", CACHE_SIZE);
csv->cache = (byte *)SvPVX (sv_cache);
- memset (csv->cache, 0, CACHE_SIZE);
SvREADONLY_on (sv_cache);
csv->cache[CACHE_ID_quote_char] = csv->quote_char;