In perl.git, the branch blead has been updated <http://perl5.git.perl.org/perl.git/commitdiff/bf4a926a29374161655548b149d1cb37300bcc05?hp=14ebef5fba328c5f6d6b522b2af648a970b181b1>
- Log ----------------------------------------------------------------- commit bf4a926a29374161655548b149d1cb37300bcc05 Author: Tony Cook <[email protected]> Date: Wed Sep 7 16:51:39 2016 +1000 (perl #129149) avoid a heap buffer overflow with pack "W"... ----------------------------------------------------------------------- Summary of changes: pp_pack.c | 2 +- t/op/pack.t | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/pp_pack.c b/pp_pack.c index ee4c69e0ae..737e019a74 100644 --- a/pp_pack.c +++ b/pp_pack.c @@ -2587,7 +2587,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist ) if (in_bytes) auv = auv % 0x100; if (utf8) { W_utf8: - if (cur > end) { + if (cur >= end) { *cur = '\0'; SvCUR_set(cat, cur - start); diff --git a/t/op/pack.t b/t/op/pack.t index 3fc12e4241..47d1216a2f 100644 --- a/t/op/pack.t +++ b/t/op/pack.t @@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' : my $no_signedness = $] > 5.009 ? '' : "Signed/unsigned pack modifiers not available on this perl"; -plan tests => 14712; +plan tests => 14713; use strict; use warnings qw(FATAL all); @@ -2047,3 +2047,14 @@ ok(1, "argument underflow did not crash"); is(pack("H40", $up_nul), $twenty_nuls, "check pack H zero fills (utf8 source)"); } + +{ + # [perl #129149] the code below would write one past the end of the output + # buffer, only detected by ASAN, not by valgrind + $Config{ivsize} >= 8 + or skip "[perl #129149] need 64-bit for this test", 1; + fresh_perl_is(<<'EOS', "ok\n", { stderr => 1 }, "pack W overflow"); +print pack("ucW", "0000", 0, 140737488355327) eq "\$,#`P,```\n\0\x{7fffffffffff}" + ? "ok\n" : "not ok\n"; +EOS +} -- Perl5 Master Repository
