/ 
perl5.002b3
River stage five • 12558 direct dependents • 35228 total dependents
/ utils/c2ph.PL
Security Advisories (30)
CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2010-1158 (2010-04-20)

Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.

CVE-2009-3626 (2009-10-29)

Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.

CVE-2008-1927 (2008-04-24)

Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.

CVE-2005-3962 (2005-12-01)

Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.

CVE-2007-5116 (2007-11-07)

Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-1999-1386 (1999-12-31)

Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-1999-0034 (1997-05-29)

Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.

CVE-1999-0462 (1999-03-17)

suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk.

CVE-2000-0703 (2000-10-20)

suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

c2ph,pstruct - Dump C structures as generated from 'cc -g -S' stabs

SYNOPSIS

c2ph [-dpnP] [var=val] [files ...]

OPTIONS

Options:

-w	wide; short for: type_width=45 member_width=35 offset_width=8
-x	hex; short for:  offset_fmt=x offset_width=08 size_fmt=x size_width=04

-n	do not generate perl code  (default when invoked as pstruct)
-p	generate perl code         (default when invoked as c2ph)
-v	generate perl code, with C decls as comments

-i	do NOT recompute sizes for intrinsic datatypes
-a	dump information on intrinsics also

-t	trace execution
-d	spew reams of debugging output

-slist  give comma-separated list a structures to dump

DESCRIPTION

The following is the old c2ph.doc documentation by Tom Christiansen <tchrist@perl.com> Date: 25 Jul 91 08:10:21 GMT

Once upon a time, I wrote a program called pstruct. It was a perl program that tried to parse out C structures and display their member offsets for you. This was especially useful for people looking at binary dumps or poking around the kernel.

Pstruct was not a pretty program. Neither was it particularly robust. The problem, you see, was that the C compiler was much better at parsing C than I could ever hope to be.

So I got smart: I decided to be lazy and let the C compiler parse the C, which would spit out debugger stabs for me to read. These were much easier to parse. It's still not a pretty program, but at least it's more robust.

Pstruct takes any .c or .h files, or preferably .s ones, since that's the format it is going to massage them into anyway, and spits out listings like this:

struct tty { int tty.t_locker 000 4 int tty.t_mutex_index 004 4 struct tty * tty.t_tp_virt 008 4 struct clist tty.t_rawq 00c 20 int tty.t_rawq.c_cc 00c 4 int tty.t_rawq.c_cmax 010 4 int tty.t_rawq.c_cfx 014 4 int tty.t_rawq.c_clx 018 4 struct tty * tty.t_rawq.c_tp_cpu 01c 4 struct tty * tty.t_rawq.c_tp_iop 020 4 unsigned char * tty.t_rawq.c_buf_cpu 024 4 unsigned char * tty.t_rawq.c_buf_iop 028 4 struct clist tty.t_canq 02c 20 int tty.t_canq.c_cc 02c 4 int tty.t_canq.c_cmax 030 4 int tty.t_canq.c_cfx 034 4 int tty.t_canq.c_clx 038 4 struct tty * tty.t_canq.c_tp_cpu 03c 4 struct tty * tty.t_canq.c_tp_iop 040 4 unsigned char * tty.t_canq.c_buf_cpu 044 4 unsigned char * tty.t_canq.c_buf_iop 048 4 struct clist tty.t_outq 04c 20 int tty.t_outq.c_cc 04c 4 int tty.t_outq.c_cmax 050 4 int tty.t_outq.c_cfx 054 4 int tty.t_outq.c_clx 058 4 struct tty * tty.t_outq.c_tp_cpu 05c 4 struct tty * tty.t_outq.c_tp_iop 060 4 unsigned char * tty.t_outq.c_buf_cpu 064 4 unsigned char * tty.t_outq.c_buf_iop 068 4 (*int)() tty.t_oproc_cpu 06c 4 (*int)() tty.t_oproc_iop 070 4 (*int)() tty.t_stopproc_cpu 074 4 (*int)() tty.t_stopproc_iop 078 4 struct thread * tty.t_rsel 07c 4

etc.

Actually, this was generated by a particular set of options. You can control the formatting of each column, whether you prefer wide or fat, hex or decimal, leading zeroes or whatever.

All you need to be able to use this is a C compiler than generates BSD/GCC-style stabs. The -g option on native BSD compilers and GCC should get this for you.

To learn more, just type a bogus option, like -\?, and a long usage message will be provided. There are a fair number of possibilities.

If you're only a C programmer, than this is the end of the message for you. You can quit right now, and if you care to, save off the source and run it when you feel like it. Or not.

But if you're a perl programmer, then for you I have something much more wondrous than just a structure offset printer.

You see, if you call pstruct by its other incybernation, c2ph, you have a code generator that translates C code into perl code! Well, structure and union declarations at least, but that's quite a bit.

Prior to this point, anyone programming in perl who wanted to interact with C programs, like the kernel, was forced to guess the layouts of the C strutures, and then hardwire these into his program. Of course, when you took your wonderfully crafted program to a system where the sgtty structure was laid out differently, you program broke. Which is a shame.

We've had Larry's h2ph translator, which helped, but that only works on cpp symbols, not real C, which was also very much needed. What I offer you is a symbolic way of getting at all the C structures. I've couched them in terms of packages and functions. Consider the following program:

    #!/usr/local/bin/perl

    require 'syscall.ph';
    require 'sys/time.ph';
    require 'sys/resource.ph';

    $ru = "\0" x &rusage'sizeof();

    syscall(&SYS_getrusage, &RUSAGE_SELF, $ru)      && die "getrusage: $!";

    @ru = unpack($t = &rusage'typedef(), $ru);

    $utime =  $ru[ &rusage'ru_utime + &timeval'tv_sec  ]
	   + ($ru[ &rusage'ru_utime + &timeval'tv_usec ]) / 1e6;

    $stime =  $ru[ &rusage'ru_stime + &timeval'tv_sec  ]
	   + ($ru[ &rusage'ru_stime + &timeval'tv_usec ]) / 1e6;

    printf "you have used %8.3fs+%8.3fu seconds.\n", $utime, $stime;

As you see, the name of the package is the name of the structure. Regular fields are just their own names. Plus the follwoing accessor functions are provided for your convenience:

    struct	This takes no arguments, and is merely the number of first-level
		elements in the structure.  You would use this for indexing
		into arrays of structures, perhaps like this


		    $usec = $u[ &user'u_utimer
				+ (&ITIMER_VIRTUAL * &itimerval'struct)
				+ &itimerval'it_value
				+ &timeval'tv_usec
			      ];

    sizeof   	Returns the bytes in the structure, or the member if
	     	you pass it an argument, such as

			&rusage'sizeof(&rusage'ru_utime)

    typedef  	This is the perl format definition for passing to pack and
	     	unpack.  If you ask for the typedef of a nothing, you get
	     	the whole structure, otherwise you get that of the member
	     	you ask for.  Padding is taken care of, as is the magic to
	     	guarantee that a union is unpacked into all its aliases.
	     	Bitfields are not quite yet supported however.

    offsetof	This function is the byte offset into the array of that
		member.  You may wish to use this for indexing directly
		into the packed structure with vec() if you're too lazy
		to unpack it.

    typeof	Not to be confused with the typedef accessor function, this
		one returns the C type of that field.  This would allow
		you to print out a nice structured pretty print of some
		structure without knoning anything about it beforehand.
		No args to this one is a noop.  Someday I'll post such
		a thing to dump out your u structure for you.

The way I see this being used is like basically this:

% h2ph <some_include_file.h  >  /usr/lib/perl/tmp.ph
% c2ph  some_include_file.h  >> /usr/lib/perl/tmp.ph
% install

It's a little tricker with c2ph because you have to get the includes right. I can't know this for your system, but it's not usually too terribly difficult.

The code isn't pretty as I mentioned -- I never thought it would be a 1000- line program when I started, or I might not have begun. :-) But I would have been less cavalier in how the parts of the program communicated with each other, etc. It might also have helped if I didn't have to divine the makeup of the stabs on the fly, and then account for micro differences between my compiler and gcc.

Anyway, here it is. Should run on perl v4 or greater. Maybe less.

--tom