diff options
author | David Leadbeater <dgl@dgl.cx> | 2011-05-14 13:57:21 +0100 |
---|---|---|
committer | Father Chrysostomos <sprout@cpan.org> | 2011-05-18 22:20:43 -0700 |
commit | 37c6a70c7d35357916da21616c68e56c878a5bd2 (patch) | |
tree | fe7ab7c9ee4892844640e97226a3f17709389ad0 | |
parent | ea74ff717a4ba16fc7b858acd65cc2c893970c30 (diff) | |
download | perl-37c6a70c7d35357916da21616c68e56c878a5bd2.tar.gz |
scan_heredoc could reallocate PL_parser->linestr's PV
Since f0e67a1 it was possible the freed buffer may be read from when
parsing a heredoc. This adds a call to lex_grow_linestr to grow the
buffer and ensure the pointers in PL_parser are updated.
The bug is pretty hard to reproduce, hence no test. I'm able to
reproduce it with the following:
perl -Meverywhere=re,debug -MParams::Util -e1
-rw-r--r-- | toke.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -9443,6 +9443,7 @@ S_scan_heredoc(pTHX_ register char *s) if (*s == term && memEQ(s,PL_tokenbuf,len)) { STRLEN off = PL_bufend - 1 - SvPVX_const(PL_linestr); *(SvPVX(PL_linestr) + off ) = ' '; + lex_grow_linestr(SvCUR(PL_linestr) + SvCUR(herewas) + 1); sv_catsv(PL_linestr,herewas); PL_bufend = SvPVX(PL_linestr) + SvCUR(PL_linestr); s = SvPVX(PL_linestr) + off; /* In case PV of PL_linestr moved. */ |