This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
PATCH: [perl #134134] read beyond end of buffer
authorKarl Williamson <khw@cpan.org>
Fri, 24 May 2019 15:15:59 +0000 (09:15 -0600)
committerKarl Williamson <khw@cpan.org>
Fri, 24 May 2019 23:09:29 +0000 (17:09 -0600)
This turns out to be because of a special input case in myatof3(),
wherein if the input length is 0, it call strlen to find the length.

The solution is to add a test and not call the function unless the
length is positive.

regcomp.c

index 9bd6dd3..3ad09c5 100644 (file)
--- a/regcomp.c
+++ b/regcomp.c
@@ -23428,10 +23428,12 @@ Perl_parse_uniprop_string(pTHX_
                  * NV. */
 
                 NV value;
                  * NV. */
 
                 NV value;
+                SSize_t value_len = lookup_len - equals_pos;
 
                 /* Get the value */
 
                 /* Get the value */
-                if (my_atof3(lookup_name + equals_pos, &value,
-                             lookup_len - equals_pos)
+                if (   value_len <= 0
+                    || my_atof3(lookup_name + equals_pos, &value,
+                                value_len)
                           != lookup_name + lookup_len)
                 {
                     goto failed;
                           != lookup_name + lookup_len)
                 {
                     goto failed;