|
 |
d5d7406 |
From 0ac626a715086c269de462453df5c8d231ef22a1 Mon Sep 17 00:00:00 2001
|
|
|
d5d7406 |
From: Tony Cook <tony@develop-help.com>
|
|
|
d5d7406 |
Date: Mon, 15 Apr 2019 15:23:32 +1000
|
|
|
d5d7406 |
Subject: [PATCH] (perl #17844) don't update SvCUR until after we've done
|
|
|
d5d7406 |
moving
|
|
|
d5d7406 |
MIME-Version: 1.0
|
|
|
d5d7406 |
Content-Type: text/plain; charset=UTF-8
|
|
|
d5d7406 |
Content-Transfer-Encoding: 8bit
|
|
|
d5d7406 |
|
|
|
d5d7406 |
SvCUR() before the SvGROW() calls could result in reading beyond the
|
|
|
d5d7406 |
end of a buffer.
|
|
|
d5d7406 |
|
|
|
d5d7406 |
It wasn't a problem in the normal case, since sv_grow() just calls
|
|
|
d5d7406 |
realloc() which has its own notion of how big the memory block is, but
|
|
|
d5d7406 |
if the SV is SvOOK() sv_backoff() tries to move SvCUR()+1 bytes, which
|
|
|
d5d7406 |
might be larger than the currently allocated size of the PV.
|
|
|
d5d7406 |
|
|
|
d5d7406 |
Petr Písař: Ported to 5.30.3 from
|
|
|
d5d7406 |
45f235c116d4deab95c576aff77fe46d609f8553.
|
|
|
d5d7406 |
|
|
|
d5d7406 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
d5d7406 |
---
|
|
|
d5d7406 |
doop.c | 2 +-
|
|
|
d5d7406 |
t/op/bop.t | 11 ++++++++++-
|
|
|
d5d7406 |
2 files changed, 11 insertions(+), 2 deletions(-)
|
|
|
d5d7406 |
|
|
|
d5d7406 |
diff --git a/doop.c b/doop.c
|
|
|
d5d7406 |
index 54e35f1..42e05dd 100644
|
|
|
d5d7406 |
--- a/doop.c
|
|
|
d5d7406 |
+++ b/doop.c
|
|
|
d5d7406 |
@@ -1120,7 +1120,6 @@ Perl_do_vop(pTHX_ I32 optype, SV *sv, SV *left, SV *right)
|
|
|
d5d7406 |
lsave = lc;
|
|
|
d5d7406 |
rsave = rc;
|
|
|
d5d7406 |
|
|
|
d5d7406 |
- SvCUR_set(sv, len);
|
|
|
d5d7406 |
(void)SvPOK_only(sv);
|
|
|
d5d7406 |
if (SvOK(sv) || SvTYPE(sv) > SVt_PVMG) {
|
|
|
d5d7406 |
dc = SvPV_force_nomg_nolen(sv);
|
|
|
d5d7406 |
@@ -1136,6 +1135,7 @@ Perl_do_vop(pTHX_ I32 optype, SV *sv, SV *left, SV *right)
|
|
|
d5d7406 |
sv_usepvn_flags(sv, dc, needlen, SV_HAS_TRAILING_NUL);
|
|
|
d5d7406 |
dc = SvPVX(sv); /* sv_usepvn() calls Renew() */
|
|
|
d5d7406 |
}
|
|
|
d5d7406 |
+ SvCUR_set(sv, len);
|
|
|
d5d7406 |
|
|
|
d5d7406 |
#ifdef LIBERAL
|
|
|
d5d7406 |
if (len >= sizeof(long)*4 &&
|
|
|
d5d7406 |
diff --git a/t/op/bop.t b/t/op/bop.t
|
|
|
d5d7406 |
index 411d253..12e206d 100644
|
|
|
d5d7406 |
--- a/t/op/bop.t
|
|
|
d5d7406 |
+++ b/t/op/bop.t
|
|
|
d5d7406 |
@@ -18,7 +18,7 @@ BEGIN {
|
|
|
d5d7406 |
# If you find tests are failing, please try adding names to tests to track
|
|
|
d5d7406 |
# down where the failure is, and supply your new names as a patch.
|
|
|
d5d7406 |
# (Just-in-time test naming)
|
|
|
d5d7406 |
-plan tests => 504;
|
|
|
d5d7406 |
+plan tests => 505;
|
|
|
d5d7406 |
|
|
|
d5d7406 |
# numerics
|
|
|
d5d7406 |
ok ((0xdead & 0xbeef) == 0x9ead);
|
|
|
d5d7406 |
@@ -683,3 +683,12 @@ foreach my $op_info ([and => "&"], [or => "|"], [xor => "^"]) {
|
|
|
d5d7406 |
diag join "\n", @warnings;
|
|
|
d5d7406 |
}
|
|
|
d5d7406 |
}
|
|
|
d5d7406 |
+
|
|
|
d5d7406 |
+{
|
|
|
d5d7406 |
+ # perl #17844 - only visible with valgrind/ASAN
|
|
|
d5d7406 |
+ fresh_perl_is(<<'EOS',
|
|
|
d5d7406 |
+formline X000n^\\0,\\0^\\0for\0,0..10
|
|
|
d5d7406 |
+EOS
|
|
|
d5d7406 |
+ '',
|
|
|
d5d7406 |
+ {}, "[perl #17844] access beyond end of block");
|
|
|
d5d7406 |
+}
|
|
|
d5d7406 |
--
|
|
|
d5d7406 |
2.25.4
|
|
|
d5d7406 |
|