Integer overflow leading to buffer overflow

There exists an integer overflow in Perl_my_setenv @ util.c : 2070 2070: void Perl_my_setenv(pTHX_ const char *nam, const char *val) { ... 2166: const int nlen = strlen(nam); ... 2171: vlen = strlen(val); 2172: new_env = (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char)); Here in a 64 bit version of Perl, since the arguments `nam` and `val` are user controlled, the 32 bit integers `nlen` and `vlen` are also under the control of the attacker. Therefore, if `nam` and `val` are two very long strings (for example, 2147483647 bytes long), the addition at line 2172 would result in an integer overflow. The `new_env` would therefore be a chunk of a size which is smaller than the sum of the lengths of the two input strings. This `new_env` is subsequently used in a call to `memcpy` to copy `nlen` bytes from `nam` followed by `vlen` bytes from `val`. This results in a buffer overflow on the heap with attacker controlled input. Please find attached a PoC which demonstrates the buffer overflow. Please note that the attached PoC consumes large amounts of memory and results in a segmentation fault on a 64 bit Ubuntu 16.04 system running a 64 bit version of perl. This segmentation fault occurs due to the fact that the `memcpy` tries to write outside the initial heap boundary. This vulnerability has been recognised as a serious security issue and has been assigned the identifier CVE-2018-18311 by the developers. ## Impact Memory corruption with attacker controlled input which can lead to arbitrary code execution