From e487ff5ee8f0cde894977f61d319c0c4e44aa0bd Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Tue, 16 Aug 2016 13:50:46 +0100
Subject: [PATCH] buffer overflow in "string terminator" err msg

RT #128952

In
    eval "q" . chr(100000000064);

generating the error message C<Can't find string terminator "XXX"'>
was overrunning a buffer designed to hold a single utf8 char, since
it wasn't allowing for the \0 at the end.
---
 t/comp/parser.t | 11 ++++++++++-
 toke.c          |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/t/comp/parser.t b/t/comp/parser.t
index ebfcb9d..5ca07ea 100644
--- a/t/comp/parser.t
+++ b/t/comp/parser.t
@@ -8,7 +8,7 @@ BEGIN {
     chdir 't' if -d 't';
 }
 
-print "1..185\n";
+print "1..186\n";
 
 sub failed {
     my ($got, $expected, $name) = @_;
@@ -573,6 +573,15 @@ is $@, "", 'read into keys';
 eval 'substr keys(%h),0,=3';
 is $@, "", 'substr keys assignment';
 
+# very large utf8 char in error message was overflowing buffer
+{
+
+    no warnings;
+    eval "q" . chr(100000000064);
+    like $@, qr/Can't find string terminator "." anywhere before EOF/,
+        'RT 128952';
+}
+
 # Add new tests HERE (above this line)
 
 # bug #74022: Loop on characters in \p{OtherIDContinue}
diff --git a/toke.c b/toke.c
index 2c28146..5e11253 100644
--- a/toke.c
+++ b/toke.c
@@ -554,7 +554,7 @@ S_no_op(pTHX_ const char *const what, char *s)
 STATIC void
 S_missingterm(pTHX_ char *s)
 {
-    char tmpbuf[UTF8_MAXBYTES];
+    char tmpbuf[UTF8_MAXBYTES + 1];
     char q;
     bool uni = FALSE;
     SV *sv;
-- 
1.8.3.1