Fix an out of bounds write in Data-Dumper with malformed utf8 input

When warnings are enabled and Dumper() is called with an invalid utf8
string that still has the UTF8 flag on, esc_q_utf8() miscounts the size
of the escaped string.

2 files changed, 18 insertions, 2 deletions

diff --git a/dist/Data-Dumper/Dumper.xs b/dist/Data-Dumper/Dumper.xs
index 78459624ae..ce38ec019d 100644
--- a/dist/Data-Dumper/Dumper.xs
+++ b/dist/Data-Dumper/Dumper.xs
@@ -142,11 +142,15 @@ esc_q_utf8(pTHX_ SV* sv, register const char *src, register STRLEN slen)
     STRLEN single_quotes = 0;
     STRLEN qq_escapables = 0;	/* " $ @ will need a \ in "" strings.  */
     STRLEN normal = 0;
+    int increment;
 
     /* this will need EBCDICification */
-    for (s = src; s < send; s += UTF8SKIP(s)) {
+    for (s = src; s < send; s += increment) {
         const UV k = utf8_to_uvchr((U8*)s, NULL);
 
+        /* check for invalid utf8 */
+        increment = (k == 0 && *s != '\0') ? 1 : UTF8SKIP(s);
+
 #ifdef EBCDIC
 	if (!isprint(k) || k > 256) {
 #else
diff --git a/dist/Data-Dumper/t/bugs.t b/dist/Data-Dumper/t/bugs.t
index 3c5d141298..ceca4b9f94 100644
--- a/dist/Data-Dumper/t/bugs.t
+++ b/dist/Data-Dumper/t/bugs.t
@@ -12,7 +12,7 @@ BEGIN {
 }
 
 use strict;
-use Test::More tests => 6;
+use Test::More tests => 7;
 use Data::Dumper;
 
 {
@@ -85,4 +85,16 @@ Data::Dumper->Dump([*{*STDERR{IO}}]);
 ok("ok", #ok
    "empty-string glob [perl #72332]");
 
+# writing out of bounds with malformed utf8
+SKIP: {
+    eval { require Encode };
+    skip("Encode not available", 1) if $@;
+    local $^W=1;
+    local $SIG{__WARN__} = sub {};
+    my $a="\x{fc}'" x 50;
+    Encode::_utf8_on($a);
+    Dumper $a;
+    ok("ok", "no crash dumping malformed utf8 with the utf8 flag on");
+}
+
 # EOF