From f4460c6f7a0de152ddaed69a0ba0efe653258f81 Mon Sep 17 00:00:00 2001 From: Father Chrysostomos Date: Sun, 22 Feb 2015 14:34:42 -0800 Subject: [perl #123801] Stop s##[}#e from crashing The lexer normally turns s##...#e into PMFUNC '(' WORD '/' DO '{' ... ';' '}' ')' If you have [} inside the replacement, that becomes '[' ';' '}'. When the parser gets to the second semicolon, it pops scopes to try to recover from the syntax error, and in so doing it exits the inner lex- ing scope that was set up for the substitution. When that happens, the second '}' is already on the pending token stack. Since we set the lexing state to LEX_KNOWNEXT when there is a pending token (though we may not have to; see 7aa8cb0dec1), we have to record a pending state as well, so we know what to set the state back to. That pending state is not localised, and, in this case, was set before the scopes were popped. So we end up in the outermost lexing scope, with the lexing state set to LEX_INTERPEND. Inside an inner lexing scope, PL_linestr is of type PVIV, with the IVX field used to hold extra information about the type of quote. In the main lexing scope, PL_linestr is an SVt_PV with no IVX field. If the lexing state is LEX_INTERPanything, it is assumed that PL_linestr has an IVX field, which is not the case here, so we fail an assertion or crash. The safest pre-5.22 solution is to check the type of PL_linestr before reading IVX. --- t/base/lex.t | 3 +++ 1 file changed, 3 insertions(+) (limited to 't/base') diff --git a/t/base/lex.t b/t/base/lex.t index 5449b46c7c..47816fc13d 100644 --- a/t/base/lex.t +++ b/t/base/lex.t @@ -494,3 +494,6 @@ eval '"$a{ 1 m// }"; //'; local $SIG{__WARN__}=sub{}; eval q|s)$0{0h());qx(@0);qx(@0);qx(@0)|; } + +# Used to crash [perl #123801] +eval q|s##[}#e|; -- cgit v1.2.1