diff options
author | Karl Williamson <khw@cpan.org> | 2019-03-08 10:01:48 -0700 |
---|---|---|
committer | Karl Williamson <khw@cpan.org> | 2019-03-08 10:18:56 -0700 |
commit | 56e36cbf2fdf9d90f61690c1c3fc35af0d65e0cd (patch) | |
tree | b6a7db53e66ae978f4b4261ec369b69e2215530b /pp.c | |
parent | ff736663d576ffad28573e0034109dc2da50d18d (diff) | |
download | perl-56e36cbf2fdf9d90f61690c1c3fc35af0d65e0cd.tar.gz |
PATCH: [perl #133876] Write out of bounds
This was caused by a lapse on my part about the inputs to this function
that grows memory. I was thinking the trailing NUL was included, but
it's not. This patch adds space for that to all calls of
sv_utf8_upgrade_flags_grow() in the file.
But it occurs to me that maybe the function itself should just add one
instead of having the caller do it. If you think so, let me know.
Diffstat (limited to 'pp.c')
-rw-r--r-- | pp.c | 9 |
1 files changed, 6 insertions, 3 deletions
@@ -4300,7 +4300,8 @@ PP(pp_uc) SvCUR_set(dest, len); len = sv_utf8_upgrade_flags_grow(dest, SV_GMAGIC|SV_FORCE_UTF8_UPGRADE, - extra); + extra + + 1 /* trailing NUL */ ); d = (U8*)SvPVX(dest) + len; /* Now process the remainder of the source, simultaneously @@ -4434,7 +4435,8 @@ PP(pp_lc) * when converted to UTF-8 */ sv_utf8_upgrade_flags_grow(dest, 0, len + I_count - + variant_under_utf8_count(s, send)); + + variant_under_utf8_count(s, send) + + 1 /* Trailing NUL */ ); d = (U8*)SvPVX(dest); has_turkic_I = TRUE; } @@ -4803,7 +4805,8 @@ PP(pp_fc) SvCUR_set(dest, len); len = sv_utf8_upgrade_flags_grow(dest, SV_GMAGIC|SV_FORCE_UTF8_UPGRADE, - extra); + extra + + 1 /* Trailing NUL */ ); d = (U8*)SvPVX(dest) + len; *d++ = UTF8_TWO_BYTE_HI(GREEK_SMALL_LETTER_MU); |