diff options
author | Karl Williamson <khw@cpan.org> | 2019-05-24 09:15:59 -0600 |
---|---|---|
committer | Steve Hay <steve.m.hay@googlemail.com> | 2019-10-21 12:40:44 +0100 |
commit | ad4505cd4311a096cbd8bfa370bce22cfb376a8a (patch) | |
tree | bc10f0f06941703d086e730d85887ec7d3ffb25e | |
parent | d8e602f3ea85655a06712db2594c185b6e5aab52 (diff) | |
download | perl-ad4505cd4311a096cbd8bfa370bce22cfb376a8a.tar.gz |
PATCH: [perl #134134] read beyond end of buffer
This turns out to be because of a special input case in myatof3(),
wherein if the input length is 0, it call strlen to find the length.
The solution is to add a test and not call the function unless the
length is positive.
(cherry picked from commit 2d26cf4aed90a77ac5e93ddec29770756027b788)
-rw-r--r-- | regcomp.c | 6 |
1 files changed, 4 insertions, 2 deletions
@@ -23428,10 +23428,12 @@ Perl_parse_uniprop_string(pTHX_ * NV. */ NV value; + SSize_t value_len = lookup_len - equals_pos; /* Get the value */ - if (my_atof3(lookup_name + equals_pos, &value, - lookup_len - equals_pos) + if ( value_len <= 0 + || my_atof3(lookup_name + equals_pos, &value, + value_len) != lookup_name + lookup_len) { goto failed; |