Blob Blame Raw
From 9ba9a28aaea66bad2de041880a2c4210a911dda6 Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Wed, 21 Nov 2018 12:09:45 +0000
Subject: [PATCH] S_hv_delete_common(): avoid undefined behaviour
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ASAN -fsanitize-undefined was tripping on the second of these two lines:

    svp = AvARRAY(isa);
    end = svp + AvFILLp(isa)+1;

In the case where svp is NULL and AvFILLp(isa) is -1, the first addition
is undefined behaviour. Add the 1 first, so that it becomes
svp + (-1+1), which is safe.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 hv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hv.c b/hv.c
index d3d02d1046..fc90a5146b 100644
--- a/hv.c
+++ b/hv.c
@@ -1295,7 +1295,7 @@ S_hv_delete_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen,
                             SV **svp, **end;
                         strip_magic:
                             svp = AvARRAY(isa);
-                            end = svp + AvFILLp(isa)+1;
+                            end = svp + (AvFILLp(isa)+1);
                             while (svp < end) {
                                 if (*svp)
                                     mg_free_type(*svp, PERL_MAGIC_isaelem);
-- 
2.17.2