diff options
| author | Karl Williamson <khw@cpan.org> | 2019-03-19 12:37:04 -0600 |
|---|---|---|
| committer | Karl Williamson <khw@cpan.org> | 2019-03-19 12:50:49 -0600 |
| commit | 0b97d15690d19a1fee0c903da7f5898764d8f15e (patch) | |
| tree | 03c07707c5dc861b4941a2b3e515dd55575937d3 | |
| parent | 83a1b28e808bee1a60973291307e3ce0cb77aad5 (diff) | |
| download | perl-0b97d15690d19a1fee0c903da7f5898764d8f15e.tar.gz | |
PATCH: [perl #133937] Assertion failure
This recently added assertion actually caught an error, which is a
potential read beyond end of buffer. This doesn't actually happen in
this case because this is a regular expression pattern, and the toker
makes sure there is a trailing NUL (that isn't counted).
The solution is to check the bounds before reading.
| -rw-r--r-- | dquote.c | 13 | ||||
| -rw-r--r-- | t/re/reg_mesg.t | 2 |
2 files changed, 15 insertions, 0 deletions
@@ -210,8 +210,21 @@ Perl_grok_bslash_x(pTHX_ char **s, const char * const send, UV *uv, assert(*(*s - 1) == '\\'); assert(* *s == 'x'); + (*s)++; + if (send <= *s) { + if (strict) { + *error_msg = "Empty \\x"; + return FALSE; + } + + /* Sadly, to preserve backcompat, an empty \x at the end of string is + * interpreted as a NUL */ + *uv = 0; + return TRUE; + } + if (strict || ! output_warning) { flags |= PERL_SCAN_SILENT_ILLDIGIT; } diff --git a/t/re/reg_mesg.t b/t/re/reg_mesg.t index 667621e80d..8634866f2d 100644 --- a/t/re/reg_mesg.t +++ b/t/re/reg_mesg.t @@ -411,6 +411,8 @@ my @death_only_under_strict = ( => 'Unescaped left brace in regex is illegal here {#} m/[x]{{#}/', '/\p{Latin}{/' => 'Unescaped left brace in regex is passed through {#} m/\p{Latin}{{#}/', => 'Unescaped left brace in regex is illegal here {#} m/\p{Latin}{{#}/', + '/\x{100}\x/' => "", + => "Empty \\x {#} m/\\x{100}\\x{#}/", ); # These need the character 'ネ' as a marker for mark_as_utf8() |