In perl.git, the branch blead has been updated <http://perl5.git.perl.org/perl.git/commitdiff/9e0b0d62ba5a660ab4b6f498912cfaead79014a0?hp=2cc6a9db5a91276f3ff662b3e5befa6799fde3ed>
- Log ----------------------------------------------------------------- commit 9e0b0d62ba5a660ab4b6f498912cfaead79014a0 Author: Karl Williamson <[email protected]> Date: Mon Mar 9 11:14:19 2015 -0600 perl.c: Don't read possibly zapped memory See https://rt.perl.org/Ticket/Display.html?id=123748 The return of getenv() is a pointer to static storage which can legally be overwritten at any time by other calls to access the environment, even even another getenv(). (What actually happens varies from platform to platform.) Results of getenv() therefore either have to be acted on immediately or copied to a safe area. This commit does the latter for this call in perl.c. The static area was being held on to even into the function call moreswitches() which does environmen handling, so was vulnerable to this bug. ----------------------------------------------------------------------- Summary of changes: perl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/perl.c b/perl.c index 5cc8cdc..3153608 100644 --- a/perl.c +++ b/perl.c @@ -2004,6 +2004,10 @@ S_parse_body(pTHX_ char **env, XSINIT_t xsinit) #endif (s = PerlEnv_getenv("PERL5OPT"))) { + /* s points to static memory in getenv(), which may be overwritten at + * any time; use a mortal copy instead */ + s = SvPVX(sv_2mortal(newSVpv(s, 0))); + while (isSPACE(*s)) s++; if (*s == '-' && *(s+1) == 'T') { -- Perl5 Master Repository
