In perl.git, the branch blead has been updated <http://perl5.git.perl.org/perl.git/commitdiff/41b1e858a075694f88057b9514f5fc78c80b5355?hp=78e4f28fec5bf0c2d3d8edbbd73ac68db3308f05>
- Log ----------------------------------------------------------------- commit 41b1e858a075694f88057b9514f5fc78c80b5355 Author: Aaron Crane <[email protected]> Date: Tue Jan 24 23:39:40 2017 +0000 RT#130624: heap-use-after-free in 4-arg substr ----------------------------------------------------------------------- Summary of changes: pp.c | 4 +++- t/op/substr.t | 14 +++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/pp.c b/pp.c index 62316fc8b4..a640995e31 100644 --- a/pp.c +++ b/pp.c @@ -3396,8 +3396,10 @@ PP(pp_substr) tmps = SvPV_force_nomg(sv, curlen); if (DO_UTF8(repl_sv) && repl_len) { if (!DO_UTF8(sv)) { + /* Upgrade the dest, and recalculate tmps in case the buffer + * got reallocated; curlen may also have been changed */ sv_utf8_upgrade_nomg(sv); - curlen = SvCUR(sv); + tmps = SvPV_nomg(sv, curlen); } } else if (DO_UTF8(sv)) diff --git a/t/op/substr.t b/t/op/substr.t index a8abed825c..3c7f0eb158 100644 --- a/t/op/substr.t +++ b/t/op/substr.t @@ -22,7 +22,7 @@ $SIG{__WARN__} = sub { } }; -plan(391); +plan(393); run_tests() unless caller; @@ -880,3 +880,15 @@ is($destroyed, 1, 'Timely scalar destruction with lvalue substr'); # failed with ASAN fresh_perl_is('$0 = "/usr/bin/perl"; substr($0, 0, 0, $0)', '', {}, "(perl #129340) substr() with source in target"); + + +# [perl #130624] - heap-use-after-free, observable under asan +{ + my $x = "\xE9zzzz"; + my $y = "\x{100}"; + my $z = substr $x, 0, 1, $y; + is $z, "\xE9", "RT#130624: heap-use-after-free in 4-arg substr (ret)"; + is $x, "\x{100}zzzz", "RT#130624: heap-use-after-free in 4-arg substr (targ)"; +} + + -- Perl5 Master Repository
