PATCH: [perl #134134] read beyond end of buffer

This turns out to be because of a special input case in myatof3(), wherein if the input length is 0, it call strlen to find the length. The solution is to add a test and not call the function unless the length is positive. (cherry picked from commit 2d26cf4aed90a77ac5e93ddec29770756027b788)
author: Karl Williamson <khw@cpan.org> 2019-05-24 09:15:59 -0600
committer: Steve Hay <steve.m.hay@googlemail.com> 2019-10-21 12:40:44 +0100
commit: ad4505cd4311a096cbd8bfa370bce22cfb376a8a (patch)
tree: bc10f0f06941703d086e730d85887ec7d3ffb25e
parent: d8e602f3ea85655a06712db2594c185b6e5aab52 (diff)
download: perl-ad4505cd4311a096cbd8bfa370bce22cfb376a8a.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/regcomp.c b/regcomp.c
index 9bd6dd3739..3ad09c52b2 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -23428,10 +23428,12 @@ Perl_parse_uniprop_string(pTHX_
                  * NV. */
 
                 NV value;
+                SSize_t value_len = lookup_len - equals_pos;
 
                 /* Get the value */
-                if (my_atof3(lookup_name + equals_pos, &value,
-                             lookup_len - equals_pos)
+                if (   value_len <= 0
+                    || my_atof3(lookup_name + equals_pos, &value,
+                                value_len)
                           != lookup_name + lookup_len)
                 {
                     goto failed;
author	Karl Williamson <khw@cpan.org>	2019-05-24 09:15:59 -0600
committer	Steve Hay <steve.m.hay@googlemail.com>	2019-10-21 12:40:44 +0100
commit	ad4505cd4311a096cbd8bfa370bce22cfb376a8a (patch)
tree	bc10f0f06941703d086e730d85887ec7d3ffb25e
parent	d8e602f3ea85655a06712db2594c185b6e5aab52 (diff)
download	perl-ad4505cd4311a096cbd8bfa370bce22cfb376a8a.tar.gz