This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
Fix recent double free in S_parse_gv_stash_name()
authorDavid Mitchell <davem@iabyn.com>
Wed, 3 Apr 2019 10:06:22 +0000 (11:06 +0100)
committerDavid Mitchell <davem@iabyn.com>
Wed, 3 Apr 2019 10:06:22 +0000 (11:06 +0100)
RT #133977

My recent commit v5.29.9-29-g657ed7c1c1 moved all buffer freeing to
the end of the function, but missed removing one of the existing frees.

The problem was spotted by James E Keenan and diagnosed by Tony Cook; I just
added a test.

A simple reproducer is

my $def = defined *{"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'x"};

gv.c
t/op/stash_parse_gv.t

diff --git a/gv.c b/gv.c
index 61085f5..3b8759e 100644 (file)
--- a/gv.c
+++ b/gv.c
@@ -1665,7 +1665,6 @@ S_parse_gv_stash_name(pTHX_ HV **stash, GV **gv, const char **name,
                 gvp = (GV**)hv_fetch(*stash, key, is_utf8 ? -((I32)*len) : (I32)*len, add);
                 *gv = gvp ? *gvp : NULL;
                 if (!*gv || *gv == (const GV *)&PL_sv_undef) {
-                    Safefree(tmpfullbuf); /* free our tmpfullbuf if it was used */
                     goto notok;
                 }
                 /* here we know that *gv && *gv != &PL_sv_undef */
index 05694ca..bd9e95c 100644 (file)
@@ -23,7 +23,7 @@ foreach my $t (@tests) {
     my ( $sub, $name ) = @$t;
 
     fresh_perl_is(
-        qq[sub $sub { print qq[ok\n]} &{"$sub"} ],
+        qq[sub $sub { print qq[ok\n]} &{"$sub"}; my \$d = defined *{"foo$sub"} ],
         q[ok],
         { switches => ['-w'] },
         $name