pp.c: Guard against malformed UTF-8 input in ord()

This code got the actual length of the input scalar, but discarded it. If that scalar contains malformed UTF-8 that has fewer bytes than is indicated, a read beyond-buffer-end could happen. Simply use the actual length.
author: Karl Williamson <public@khwilliamson.com> 2014-01-01 09:49:04 -0700
committer: Karl Williamson <public@khwilliamson.com> 2014-01-01 11:50:37 -0700
commit: 4f6386b6c255e97472036daac543efef3399b495 (patch)
tree: 0baa0596434dcd26f73f7621e119b8ec2e82afbc /pp.c
parent: 6e89a33a76ad97097e5b456387f1289b6addf741 (diff)
download: perl-4f6386b6c255e97472036daac543efef3399b495.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/pp.c b/pp.c
index dd4d89a403..d626df5f7e 100644
--- a/pp.c
+++ b/pp.c
@@ -3324,11 +3324,12 @@ PP(pp_ord)
     if (PL_encoding && SvPOK(argsv) && !DO_UTF8(argsv)) {
         SV * const tmpsv = sv_2mortal(newSVsv(argsv));
         s = (U8*)sv_recode_to_utf8(tmpsv, PL_encoding);
+        len = UTF8SKIP(s);  /* Should be well-formed; so this is its length */
         argsv = tmpsv;
     }
 
     XPUSHu(DO_UTF8(argsv)
-           ? utf8n_to_uvchr(s, UTF8_MAXBYTES, 0, UTF8_ALLOW_ANYUV)
+           ? utf8n_to_uvchr(s, len, 0, UTF8_ALLOW_ANYUV)
            : (UV)(*s & 0xff));
 
     RETURN;
author	Karl Williamson <public@khwilliamson.com>	2014-01-01 09:49:04 -0700
committer	Karl Williamson <public@khwilliamson.com>	2014-01-01 11:50:37 -0700
commit	4f6386b6c255e97472036daac543efef3399b495 (patch)
tree	0baa0596434dcd26f73f7621e119b8ec2e82afbc /pp.c
parent	6e89a33a76ad97097e5b456387f1289b6addf741 (diff)
download	perl-4f6386b6c255e97472036daac543efef3399b495.tar.gz