At 12:40 PM -0600 2/12/03, Patrick Spinler wrote:
>The following section of code in VMS.C (identical in perl 5.8.0 and perl
>5.6.1) has several pointer bugs.
>
>/* We need to use this hack to tell Perl it should run with tainting,
> * since its tainting flag may be part of the PL_curinterp struct, which
> * hasn't been allocated when vms_image_init() is called.
> */
>if (will_taint) {
> char ***newap;
> New(1320,newap,*argcp+2,char **);
> newap[0] = argvp[0];
> *newap[1] = "-T";
> Copy(argvp[1],newap[2],*argcp-1,char **);
> /* We orphan the old argv, since we don't know where it's come from,
> * so we don't know how to free it.
> */
> *argcp++; argvp = newap;
>}
>
>First, the line *newap[1] = "-T"; attempts to assign a char* to a char**
>that is currently 0, causing an ACCVIO.
Hmm. It looks like the only two ways this code will get touched is
if you install PERLSHR with privileges (not recommended and
unsupported) or if you have a protected subsystem identifier in your
rightslist. The latter should work and IIRC you make pretty heavy
use of identifiers on your systems. Do you have a simple case that
will exercise the bug?
>
>I fixed that with the (extemely over conservative, but I like to be
>extra careful when funky pointer manipulation happens) code fragment:
>
> static char *taintflag = "-T";
> static char **taintflagptr = &taintflag;
> New(1320,newap,*argcp+2,char **);
> newap[0] = argvp[0];
> newap[1] = taintflagptr;
>
>However, it's now ACCVIO'ing in the line
>
> Copy(argvp[1],newap[2],*argcp-1,char **);
>
>and I'm out of time to look at it. Can anyone recommend the appropriate
>change here ?
Triple pointers give me headaches but at first blush it looks like we
are using argvp in places where we should be using just argv, i.e.,
that which is pointed to by argvp. I'll try to take a more detailed
look if someone doesn't beat me to it.
--
________________________________________
Craig A. Berry
mailto:[EMAIL PROTECTED]
"... getting out of a sonnet is much more
difficult than getting in."
Brad Leithauser
