diff options
| author | Tony Cook <tony@develop-help.com> | 2009-12-01 22:25:39 +1100 |
|---|---|---|
| committer | H.Merijn Brand <h.m.brand@xs4all.nl> | 2009-12-01 13:41:18 +0100 |
| commit | 0b3da58dfdc350792109691bb6c07a48109b9e12 (patch) | |
| tree | 8ca49111e192c7573512af6530f0acf0496b492b /toke.c | |
| parent | 235278186f2c0918cc73f3f4c9470f80eeaf8313 (diff) | |
| download | perl-0b3da58dfdc350792109691bb6c07a48109b9e12.tar.gz | |
-Dmad: double free or corruption
> If your perl has -Dmad, the following program crashes:
>
> $ bleadperl -we '$x="x" x 257; eval "for $x"'
> *** glibc detected *** bleadperl: double free or corruption (!prev): 0x0000000001dca670 ***
Change 6136c704 changed S_scan_ident from:
e = d + destlen - 3;
to:
register char * const e = d + destlen + 3;
where e is used to mark the end of the buffer, this meant that the
various buffer end checks allowed the various buffers supplied
S_scan_ident to overflow.
Attached is a fix, various tests with fencepost checks on different
identifier lengths, and the specific case mentioned in the ticket.
Tony
Signed-off-by: H.Merijn Brand <h.m.brand@xs4all.nl>
Diffstat (limited to 'toke.c')
| -rw-r--r-- | toke.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -11366,7 +11366,7 @@ S_scan_ident(pTHX_ register char *s, register const char *send, char *dest, STRL char *bracket = NULL; char funny = *s++; register char *d = dest; - register char * const e = d + destlen + 3; /* two-character token, ending NUL */ + register char * const e = d + destlen - 3; /* two-character token, ending NUL */ PERL_ARGS_ASSERT_SCAN_IDENT; |