From 0ac626a715086c269de462453df5c8d231ef22a1 Mon Sep 17 00:00:00 2001 From: Tony Cook Date: Mon, 15 Apr 2019 15:23:32 +1000 Subject: [PATCH] (perl #17844) don't update SvCUR until after we've done moving MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SvCUR() before the SvGROW() calls could result in reading beyond the end of a buffer. It wasn't a problem in the normal case, since sv_grow() just calls realloc() which has its own notion of how big the memory block is, but if the SV is SvOOK() sv_backoff() tries to move SvCUR()+1 bytes, which might be larger than the currently allocated size of the PV. Petr Písař: Ported to 5.30.3 from 45f235c116d4deab95c576aff77fe46d609f8553. Signed-off-by: Petr Písař --- doop.c | 2 +- t/op/bop.t | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/doop.c b/doop.c index 54e35f1..42e05dd 100644 --- a/doop.c +++ b/doop.c @@ -1120,7 +1120,6 @@ Perl_do_vop(pTHX_ I32 optype, SV *sv, SV *left, SV *right) lsave = lc; rsave = rc; - SvCUR_set(sv, len); (void)SvPOK_only(sv); if (SvOK(sv) || SvTYPE(sv) > SVt_PVMG) { dc = SvPV_force_nomg_nolen(sv); @@ -1136,6 +1135,7 @@ Perl_do_vop(pTHX_ I32 optype, SV *sv, SV *left, SV *right) sv_usepvn_flags(sv, dc, needlen, SV_HAS_TRAILING_NUL); dc = SvPVX(sv); /* sv_usepvn() calls Renew() */ } + SvCUR_set(sv, len); #ifdef LIBERAL if (len >= sizeof(long)*4 && diff --git a/t/op/bop.t b/t/op/bop.t index 411d253..12e206d 100644 --- a/t/op/bop.t +++ b/t/op/bop.t @@ -18,7 +18,7 @@ BEGIN { # If you find tests are failing, please try adding names to tests to track # down where the failure is, and supply your new names as a patch. # (Just-in-time test naming) -plan tests => 504; +plan tests => 505; # numerics ok ((0xdead & 0xbeef) == 0x9ead); @@ -683,3 +683,12 @@ foreach my $op_info ([and => "&"], [or => "|"], [xor => "^"]) { diag join "\n", @warnings; } } + +{ + # perl #17844 - only visible with valgrind/ASAN + fresh_perl_is(<<'EOS', +formline X000n^\\0,\\0^\\0for\0,0..10 +EOS + '', + {}, "[perl #17844] access beyond end of block"); +} -- 2.25.4