Perl_sv_vcatpvfn_flags: avoid 1-byte buf overrun

This only occurs on the "%a" (hex) format, and only happens when
processing a denormalised value whose bit pattern is 0xf....f or similar,
and when rounding up it needs to insert a '1' at the head of the number
and shift the rest of the digits down one.

In practice this never seems to happen - the top nybble of a denormalised
float value always seems to be 0x1 (presumably because that's implicit) so
there's never any carry to a higher digit. Maybe other platforms do it
differently.

Also VHEX_SIZE seems to be rounded up, so in practice there's no overrun.

But better safe than sorry.

diff --git a/sv.c b/sv.c
index 59960a9..f12ad5f 100644 (file)
--- a/sv.c
+++ b/sv.c
@@ -12736,7 +12736,7 @@ Perl_sv_vcatpvfn_flags(pTHX_ SV *const sv, const char *const pat, const STRLEN p
                                      * way to the front, we need to
                                      * insert 0x1 in front, and adjust
                                      * the exponent. */
-                                    Move(v0, v0 + 1, vn, char);
+                                    Move(v0, v0 + 1, vn - 1, char);
                                     *v0 = 0x1;
                                     exponent += 4;
                                 }