From 06cbc317229e882f379e75eb3adf7cf9c071febd Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Wed, 3 Apr 2019 11:06:22 +0100
Subject: [PATCH] Fix recent double free in S_parse_gv_stash_name()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RT #133977

My recent commit v5.29.9-29-g657ed7c1c1 moved all buffer freeing to
the end of the function, but missed removing one of the existing frees.

The problem was spotted by James E Keenan and diagnosed by Tony Cook; I just
added a test.

A simple reproducer is

my $def = defined *{"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'x"};

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 gv.c                  | 1 -
 t/op/stash_parse_gv.t | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/gv.c b/gv.c
index 61085f5c53..3b8759e88a 100644
--- a/gv.c
+++ b/gv.c
@@ -1665,7 +1665,6 @@ S_parse_gv_stash_name(pTHX_ HV **stash, GV **gv, const char **name,
                 gvp = (GV**)hv_fetch(*stash, key, is_utf8 ? -((I32)*len) : (I32)*len, add);
                 *gv = gvp ? *gvp : NULL;
                 if (!*gv || *gv == (const GV *)&PL_sv_undef) {
-                    Safefree(tmpfullbuf); /* free our tmpfullbuf if it was used */
                     goto notok;
                 }
                 /* here we know that *gv && *gv != &PL_sv_undef */
diff --git a/t/op/stash_parse_gv.t b/t/op/stash_parse_gv.t
index 05694ca8ce..bd9e95cf37 100644
--- a/t/op/stash_parse_gv.t
+++ b/t/op/stash_parse_gv.t
@@ -23,7 +23,7 @@ foreach my $t (@tests) {
     my ( $sub, $name ) = @$t;
 
     fresh_perl_is(
-        qq[sub $sub { print qq[ok\n]} &{"$sub"} ],
+        qq[sub $sub { print qq[ok\n]} &{"$sub"}; my \$d = defined *{"foo$sub"} ],
         q[ok],
         { switches => ['-w'] },
         $name
-- 
2.20.1