From bd1a29f218b291165e47d9035aaeec14abd9732e Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Mon, 8 May 2017 21:06:38 +0100
Subject: [PATCH] avoid a memory wrap in sv_vcatpvfn_flags()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RT #131260
When calculating the new size of PL_efloatbuf, avoid wrapping 'need'.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
sv.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/sv.c b/sv.c
index e90ea84..9f3e28e 100644
--- a/sv.c
+++ b/sv.c
@@ -12448,7 +12448,13 @@ Perl_sv_vcatpvfn_flags(pTHX_ SV *const sv, const char *const pat, const STRLEN p
need = BIT_DIGITS(i);
} /* if i < 0, the number of digits is hard to predict. */
}
- need += has_precis ? precis : 6; /* known default */
+
+ {
+ STRLEN pr = has_precis ? precis : 6; /* known default */
+ if (need >= ((STRLEN)~0) - pr)
+ croak_memory_wrap();
+ need += pr;
+ }
if (need < width)
need = width;
@@ -12519,10 +12525,12 @@ Perl_sv_vcatpvfn_flags(pTHX_ SV *const sv, const char *const pat, const STRLEN p
#endif /* HAS_LDBL_SPRINTF_BUG */
- need += 20; /* fudge factor */
+ if (need >= ((STRLEN)~0) - 40)
+ croak_memory_wrap();
+ need += 40; /* fudge factor */
if (PL_efloatsize < need) {
Safefree(PL_efloatbuf);
- PL_efloatsize = need + 20; /* more fudge */
+ PL_efloatsize = need;
Newx(PL_efloatbuf, PL_efloatsize, char);
PL_efloatbuf[0] = '\0';
}
--
2.9.4