In perl.git, the branch blead has been updated <http://perl5.git.perl.org/perl.git/commitdiff/3781748131a087d117c33ad25b5211eb3c33afff?hp=2b6a5bfb1d5528005ca38fa7b8db46b49ae84e80>
- Log ----------------------------------------------------------------- commit 3781748131a087d117c33ad25b5211eb3c33afff Author: Dan Collins <dcolli...@gmail.com> Date: Wed Aug 24 14:19:09 2016 -0400 [RT #129069] Perl_yylex: Fix two use-after-free bugs Perl_yylex maintains up to two pointers, `s` and `d`, into the parser buffer at PL_bufptr. It can call skipspace(), which can potentially grow (and realloc) its argument. This can leave the second pointer pointing at the old buffer. Under most cases it isn't visible, because the old buffer isn't reused or zeroed. However, under Valgrind or libdislocator, this memory management error becomes visible. This patch saves the location of the second pointer in two locations, and restores it after the call to skipspace. ----------------------------------------------------------------------- Summary of changes: t/op/lex.t | 16 +++++++++++++++- toke.c | 5 ++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/t/op/lex.t b/t/op/lex.t index e68fab4..a667183 100644 --- a/t/op/lex.t +++ b/t/op/lex.t @@ -7,7 +7,7 @@ use warnings; BEGIN { chdir 't' if -d 't'; require './test.pl'; } -plan(tests => 28); +plan(tests => 30); { no warnings 'deprecated'; @@ -227,3 +227,17 @@ fresh_perl_is( like runperl(prog => 'sub ub(){0} ub ub', stderr=>1), qr/Bareword found/, '[perl #126482] Assert failure when mentioning a constant twice in a row'; + +fresh_perl_is( + "do\0"."000000", + "", + {}, + '[perl #129069] - no output and valgrind clean' +); + +fresh_perl_is( + "00my sub\0", + "Missing name in \"my sub\" at - line 1.\n", + {}, + '[perl #129069] - "Missing name" warning and valgrind clean' +); diff --git a/toke.c b/toke.c index 2da8366..dbeecd1 100644 --- a/toke.c +++ b/toke.c @@ -7509,7 +7509,9 @@ Perl_yylex(pTHX) 1, &len); if (len && (len != 4 || strNE(PL_tokenbuf+1, "CORE")) && !keyword(PL_tokenbuf + 1, len, 0)) { + SSize_t off = s-SvPVX(PL_linestr); d = skipspace(d); + s = SvPVX(PL_linestr)+off; if (*d == '(') { force_ident_maybe_lex('&'); s = d; @@ -8285,8 +8287,9 @@ Perl_yylex(pTHX) const int key = tmp; SV *format_name = NULL; - d = s; + SSize_t off = s-SvPVX(PL_linestr); s = skipspace(s); + d = SvPVX(PL_linestr)+off; if (isIDFIRST_lazy_if(s,UTF) || *s == '\'' -- Perl5 Master Repository