RT#130624: heap-use-after-free in 4-arg substr

author: Aaron Crane <arc@cpan.org> 2017-01-24 23:39:40 +0000
committer: David Mitchell <davem@iabyn.com> 2017-02-27 12:14:59 +0000
commit: 41b1e858a075694f88057b9514f5fc78c80b5355 (patch)
tree: dae183bcdb92d5e4c5d9b8ab2709a5108e1ca5e2 /pp.c
parent: 78e4f28fec5bf0c2d3d8edbbd73ac68db3308f05 (diff)
download: perl-41b1e858a075694f88057b9514f5fc78c80b5355.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/pp.c b/pp.c
index 62316fc8b4..a640995e31 100644
--- a/pp.c
+++ b/pp.c
@@ -3396,8 +3396,10 @@ PP(pp_substr)
 	tmps = SvPV_force_nomg(sv, curlen);
 	if (DO_UTF8(repl_sv) && repl_len) {
 	    if (!DO_UTF8(sv)) {
+                /* Upgrade the dest, and recalculate tmps in case the buffer
+                 * got reallocated; curlen may also have been changed */
 		sv_utf8_upgrade_nomg(sv);
-		curlen = SvCUR(sv);
+		tmps = SvPV_nomg(sv, curlen);
 	    }
 	}
 	else if (DO_UTF8(sv))
author	Aaron Crane <arc@cpan.org>	2017-01-24 23:39:40 +0000
committer	David Mitchell <davem@iabyn.com>	2017-02-27 12:14:59 +0000
commit	41b1e858a075694f88057b9514f5fc78c80b5355 (patch)
tree	dae183bcdb92d5e4c5d9b8ab2709a5108e1ca5e2 /pp.c
parent	78e4f28fec5bf0c2d3d8edbbd73ac68db3308f05 (diff)
download	perl-41b1e858a075694f88057b9514f5fc78c80b5355.tar.gz