diff options
| author | Father Chrysostomos <sprout@cpan.org> | 2013-08-24 18:02:09 -0700 |
|---|---|---|
| committer | Father Chrysostomos <sprout@cpan.org> | 2013-08-25 06:39:28 -0700 |
| commit | e8eb279cb8d8b30256eb8b1957e1dabed28fc4eb (patch) | |
| tree | 4ecc06a52d1ab4fb015da2e28803da335120ab95 /scope.h | |
| parent | e94bb4701fe9ef6ea7467f3fbc456bd68d184ef0 (diff) | |
| download | perl-e8eb279cb8d8b30256eb8b1957e1dabed28fc4eb.tar.gz | |
Use SSize_t for tmps stack offsets
This is a partial fix for #119161.
On 64-bit platforms, I32 is too small to hold offsets into a stack
that can grow larger than I32_MAX. What happens is the offsets can
wrap so we end up referencing and modifying elements with negative
indices, corrupting memory, and causing crashes.
With this commit, ()=1..1000000000000 stops crashing immediately.
Instead, it gobbles up all your memory first, and then, if your com-
puter still survives, crashes. The second crash happesn bcause of
a similar bug with the argument stack, which the next commit will
take care of.
Diffstat (limited to 'scope.h')
| -rw-r--r-- | scope.h | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -64,7 +64,7 @@ #define SAVEt_SAVESWITCHSTACK 39 #define SAVEt_SHARED_PVREF 40 #define SAVEt_SPTR 41 -/* UNUSED 42 */ +#define SAVEt_STRLEN 42 #define SAVEt_SV 43 #define SAVEt_SVREF 44 #define SAVEt_VPTR 45 @@ -186,7 +186,8 @@ scope has the given name. Name must be a literal string. =cut */ -#define SAVETMPS save_int((int*)&PL_tmps_floor), PL_tmps_floor = PL_tmps_ix +#define SAVETMPS Perl_save_strlen(aTHX_ (STRLEN *)&PL_tmps_floor), \ + PL_tmps_floor = PL_tmps_ix #define FREETMPS if (PL_tmps_ix > PL_tmps_floor) free_tmps() #ifdef DEBUGGING |