scan_heredoc could reallocate PL_parser->linestr's PV

Since f0e67a1 it was possible the freed buffer may be read from when parsing a heredoc. This adds a call to lex_grow_linestr to grow the buffer and ensure the pointers in PL_parser are updated. The bug is pretty hard to reproduce, hence no test. I'm able to reproduce it with the following: perl -Meverywhere=re,debug -MParams::Util -e1 (cherry picked from commit 37c6a70c7d35357916da21616c68e56c878a5bd2)
author: David Leadbeater <dgl@dgl.cx> 2011-05-14 13:57:21 +0100
committer: Leon Brocard <acme@astray.com> 2011-06-01 08:49:14 +0100
commit: f59d24d8aa7da6eb41d6cb93ad3683ac1fb1db17 (patch)
tree: 994d6a18519ad3706a119cd77075e8eee76dd0d7
parent: af021af6468a4ef90c28f5220360c0c329c195f1 (diff)
download: perl-f59d24d8aa7da6eb41d6cb93ad3683ac1fb1db17.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/toke.c b/toke.c
index 7b057e7662..1f4c805f27 100644
--- a/toke.c
+++ b/toke.c
@@ -12373,6 +12373,7 @@ S_scan_heredoc(pTHX_ register char *s)
 	if (*s == term && memEQ(s,PL_tokenbuf,len)) {
 	    STRLEN off = PL_bufend - 1 - SvPVX_const(PL_linestr);
 	    *(SvPVX(PL_linestr) + off ) = ' ';
+	    lex_grow_linestr(SvCUR(PL_linestr) + SvCUR(herewas) + 1);
 	    sv_catsv(PL_linestr,herewas);
 	    PL_bufend = SvPVX(PL_linestr) + SvCUR(PL_linestr);
 	    s = SvPVX(PL_linestr) + off; /* In case PV of PL_linestr moved. */
author	David Leadbeater <dgl@dgl.cx>	2011-05-14 13:57:21 +0100
committer	Leon Brocard <acme@astray.com>	2011-06-01 08:49:14 +0100
commit	f59d24d8aa7da6eb41d6cb93ad3683ac1fb1db17 (patch)
tree	994d6a18519ad3706a119cd77075e8eee76dd0d7
parent	af021af6468a4ef90c28f5220360c0c329c195f1 (diff)
download	perl-f59d24d8aa7da6eb41d6cb93ad3683ac1fb1db17.tar.gz