Skip Menu |
 

This queue is for tickets about the Compress-Raw-Zlib CPAN distribution.

Report information
The Basics
Id: 69985
Status: resolved
Priority: 0/
Queue: Compress-Raw-Zlib

People
Owner: Nobody in particular
Requestors: j.schicke [...] asco.de
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 2.039



Subject: Missing Storable Hook
Date: Wed, 03 Aug 2011 17:31:38 +0200
To: bug-Compress-Raw-Zlib [...] rt.cpan.org
From: Jens-Wolfhard Schicke <j.schicke [...] asco.de>
The following code results in a SIGSEGV: #!/usr/bin/perl use strict; use warnings; use Compress::Raw::Zlib; use Storable qw(freeze thaw); use Data::Dumper; my $stream = new Compress::Raw::Zlib::Deflate(); print Dumper($stream); my $frozenStream = freeze($stream); my $crash = thaw($frozenStream); print Dumper($crash); print Dumper(bless(\(my $xyz = 123456), 'Test')); As the Compress::Raw::Zlib::deflateStream is represented as a scalar reference containing a pointer, a double dereference results in two stream objects and subsequently to a double free. It would be nice to have a Storable_freeze function defined which dies and reports non-serializability of the deflate streams. Similarly for STORABLE_thaw, otherwise thawing from network looks like a security risk as an attacker can corrupt memory via creating a stray stream object which points anywhere. Sincerely, Jens Schicke-Uffmann -- Jens Schicke-Uffmann j.schicke@asco.de Tel 0531/3906-119 asco GmbH Mittelweg 7 38106 Braunschweig Tel 0531/3906-0 Fax 0531/3906-400 http://www.asco.de Amtsgericht Braunschweig HRB 5035 Geschäftsführer Jochen Grote
Good idea Paul


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.