In perl.git, the branch blead has been updated <http://perl5.git.perl.org/perl.git/commitdiff/6bf48f47bbdbe4838b70d67830ead4ebc3d318d4?hp=5a04397369a036f9a5c8e299f1a215c2fac4b6c8>
- Log ----------------------------------------------------------------- commit 6bf48f47bbdbe4838b70d67830ead4ebc3d318d4 Author: Nicholas Clark <[email protected]> Date: Mon Mar 25 11:56:40 2013 +0100 In In S_scan_heredoc(), avoid memNE() reading beyond the end of s. If the heredoc terminator we are searching for is longer than the bytes remaining in s, then the memNE() would read beyond initialised memory. Hence change the loop bounds to avoid this case, and change the failure case below to reflect the revised end-of-loop condition. It doesn't matter that the loop no longer increments shared->herelines, because the failure case calls S_missingterm(), which croaks. M toke.c commit 621baac6f8d24886a415fe9240af154fccad42c7 Author: Nicholas Clark <[email protected]> Date: Mon Mar 25 10:53:33 2013 +0100 In S_scan_heredoc(), the explicit test for '\n' duplicates the strNE(). PL_tokenbuf always starts with '\n', so a separate test of *s against '\n' is duplicate work. Hence remove it, to make the code simpler and clearer. M toke.c commit ba90859e610c9bec1956b5c7e11f5b4942e3a760 Author: Nicholas Clark <[email protected]> Date: Mon Mar 25 10:20:05 2013 +0100 PerlIO_find_layer should not be using memEQ() off the end of the layer name. PerlIO_find_layer was using memEQ() to compare the name of the desired layer with each layer in the array of known layers. However, it was always using the length of the desired layer for the comparison, whatever the length of the name it was comparing it with, resulting in out-of-bounds reads. M perlio.c ----------------------------------------------------------------------- Summary of changes: perlio.c | 3 ++- toke.c | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/perlio.c b/perlio.c index d356a7b..2e5a77d 100644 --- a/perlio.c +++ b/perlio.c @@ -811,7 +811,8 @@ PerlIO_find_layer(pTHX_ const char *name, STRLEN len, int load) len = strlen(name); for (i = 0; i < PL_known_layers->cur; i++) { PerlIO_funcs * const f = PL_known_layers->array[i].funcs; - if (memEQ(f->name, name, len) && f->name[len] == 0) { + const STRLEN this_len = strlen(f->name); + if (this_len == len && memEQ(f->name, name, len)) { PerlIO_debug("%.*s => %p\n", (int) len, name, (void*)f); return f; } diff --git a/toke.c b/toke.c index 66a197f..35cd364 100644 --- a/toke.c +++ b/toke.c @@ -9959,12 +9959,12 @@ S_scan_heredoc(pTHX_ char *s) linestr = shared->ls_linestr; bufend = SvEND(linestr); d = s; - while (s < bufend && - (*s != '\n' || memNE(s,PL_tokenbuf,len)) ) { + while (s < bufend - len + 1 && + memNE(s,PL_tokenbuf,len) ) { if (*s++ == '\n') ++shared->herelines; } - if (s >= bufend) { + if (s >= bufend - len + 1) { goto interminable; } sv_setpvn(tmpstr,d+1,s-d); -- Perl5 Master Repository
