diff options
author | David Mitchell <davem@iabyn.com> | 2019-09-14 16:18:46 +0100 |
---|---|---|
committer | David Mitchell <davem@iabyn.com> | 2019-09-14 16:18:46 +0100 |
commit | 4a69216a74159df74779841fa79d731bcc5c6a9d (patch) | |
tree | 79e2cd0179468b62e9197b966f24ec1c263998f5 /pp_ctl.c | |
parent | 06bfb2b160cbeb01bc6647c61f89d0b04dc4698b (diff) | |
download | perl-4a69216a74159df74779841fa79d731bcc5c6a9d.tar.gz |
Avoid panic when last s///g is tainted and utf8
RT #134409
In a repeated substitution, where the replacement is an expression,
and when the last replacement value is both tainted and utf8, and
everything earlier has been plain, and the final string is suitably
shorter than the original, a panic resulted:
sv_pos_b2u: bad byte offset, blen=1, byte=6
This is because when at the end, taint magic is being being added to
the target of the s///, the target SV has already had its buffer updated
with the shorter result string, but still has the pos() magic set which
corresponded to the original longer string (this pos value would, in the
normal flow of things, be reset shortly afterwards).
One quirk of sv_magic(), which adds any sort of magic including taint
magic, is that it always checks for the presence of pos() magic, and if
so, converts the byte to utf8 offset if necessary. This was seeing the
invalid pos() offset and panicing.
The check was added by v5.19.3-111-g25fdce4a16:
"Stop pos() from being confused by changing utf8ness"
It seems like a bit of hack to recalibrate pos() each time sv_magic()
is called, but I've left that alone (sleeping dogs and all that) and
instead added a hack in the taint code path in pp_substcont to reset pos
before setting taint.
Diffstat (limited to 'pp_ctl.c')
-rw-r--r-- | pp_ctl.c | 18 |
1 files changed, 18 insertions, 0 deletions
@@ -275,6 +275,24 @@ PP(pp_substcont) cBOOL(cx->sb_rxtainted & (SUBST_TAINT_STR|SUBST_TAINT_PAT|SUBST_TAINT_REPL)) ); + + /* sv_magic(), when adding magic (e.g.taint magic), also + * recalculates any pos() magic, converting any byte offset + * to utf8 offset. Make sure pos() is reset before this + * happens rather than using the now invalid value (since + * we've just replaced targ's pvx buffer with the + * potentially shorter dstr buffer). Normally (i.e. in + * non-taint cases), pos() gets removed a few lines later + * with the SvSETMAGIC(). + */ + { + MAGIC *mg; + mg = mg_find_mglob(targ); + if (mg) { + MgBYTEPOS_set(mg, targ, SvPVX(targ), -1); + } + } + SvTAINT(TARG); } /* PL_tainted must be correctly set for this mg_set */ |