buffer overrun with format and 'use bytes'

RT #130703 In the scope of 'use bytes', appending a string to a format where the format is utf8 and the string is non-utf8 but contains lots of chars with ords >= 128, the buffer could be overrun. This is due to all the \x80-type chars going from being stored as 1 bytes to 2 bytes, without growing PL_formtarget accordingly. This commit contains a minimal fix; the next commit will more generally tidy up the grow code in pp_formline.
author: David Mitchell <davem@iabyn.com> 2017-02-04 15:10:49 +0000
committer: David Mitchell <davem@iabyn.com> 2017-02-04 16:03:17 +0000
commit: e452bf1c9e9f30813b1f289188a6e8b0894575ba (patch)
tree: 6bdcb279ba9ba67ae360cf50f83e54209a5fdcfd /pp_ctl.c
parent: 7594f18f6aa16e16707d34a484c75a3e6c702b54 (diff)
download: perl-e452bf1c9e9f30813b1f289188a6e8b0894575ba.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/pp_ctl.c b/pp_ctl.c
index f48f3013ce..799baa456b 100644
--- a/pp_ctl.c
+++ b/pp_ctl.c
@@ -505,6 +505,8 @@ PP(pp_formline)
 	SvTAINTED_on(PL_formtarget);
     if (DO_UTF8(PL_formtarget))
 	targ_is_utf8 = TRUE;
+    /* this is an initial estimate of how much output buffer space
+     * to allocate. It may be exceeded later */
     linemax = (SvCUR(formsv) * (IN_BYTES ? 1 : 3) + 1);
     t = SvGROW(PL_formtarget, len + linemax + 1);
     /* XXX from now onwards, SvCUR(PL_formtarget) is invalid */
@@ -766,6 +768,7 @@ PP(pp_formline)
 
 		if (targ_is_utf8 && !item_is_utf8) {
 		    source = tmp = bytes_to_utf8(source, &to_copy);
+                    grow = to_copy;
 		} else {
 		    if (item_is_utf8 && !targ_is_utf8) {
 			U8 *s;
author	David Mitchell <davem@iabyn.com>	2017-02-04 15:10:49 +0000
committer	David Mitchell <davem@iabyn.com>	2017-02-04 16:03:17 +0000
commit	e452bf1c9e9f30813b1f289188a6e8b0894575ba (patch)
tree	6bdcb279ba9ba67ae360cf50f83e54209a5fdcfd /pp_ctl.c
parent	7594f18f6aa16e16707d34a484c75a3e6c702b54 (diff)
download	perl-e452bf1c9e9f30813b1f289188a6e8b0894575ba.tar.gz