diff options
author | Tony Cook <tony@develop-help.com> | 2018-08-20 16:31:45 +1000 |
---|---|---|
committer | Tony Cook <tony@develop-help.com> | 2018-09-21 10:23:08 +1000 |
commit | 12cad9bd99725bba72029e2651b2b7f0cab2e0b0 (patch) | |
tree | 22ead3858e2707030696a8bb4abda102f8a9f55e | |
parent | 30a6480c0da19d85d20a159b9179b5b212c8c768 (diff) | |
download | perl-12cad9bd99725bba72029e2651b2b7f0cab2e0b0.tar.gz |
(perl #132655) nul terminate result of unpack "u" of invalid data
In the given test case, Perl_atof2() would run off the end of the PV,
producing an error from ASAN.
-rw-r--r-- | pp_pack.c | 5 | ||||
-rw-r--r-- | t/op/pack.t | 9 |
2 files changed, 12 insertions, 2 deletions
@@ -1727,7 +1727,10 @@ S_unpack_rec(pTHX_ tempsym_t* symptr, const char *s, const char *strbeg, const c if (!checksum) { const STRLEN l = (STRLEN) (strend - s) * 3 / 4; sv = sv_2mortal(newSV(l)); - if (l) SvPOK_on(sv); + if (l) { + SvPOK_on(sv); + *SvEND(sv) = '\0'; + } } /* Note that all legal uuencoded strings are ASCII printables, so diff --git a/t/op/pack.t b/t/op/pack.t index cf0e286509..bb9f865091 100644 --- a/t/op/pack.t +++ b/t/op/pack.t @@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' : my $no_signedness = $] > 5.009 ? '' : "Signed/unsigned pack modifiers not available on this perl"; -plan tests => 14717; +plan tests => 14718; use strict; use warnings qw(FATAL all); @@ -2081,3 +2081,10 @@ SKIP: fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 }, "integer overflow calculating allocation (multiply)"); } + +{ + # [perl #132655] heap-buffer-overflow READ of size 11 + # only expect failure under ASAN (and maybe valgrind) + fresh_perl_is('0.0 + unpack("u", "ab")', "", { stderr => 1 }, + "ensure unpack u of invalid data nul terminates result"); +} |