In perl.git, the branch maint-5.24 has been updated <http://perl5.git.perl.org/perl.git/commitdiff/661017e03ef252c7156aa4ac31e9069187fcc12c?hp=7fd57da23ca822d3ac68a1e34b882cc9c594aaf5>
- Log ----------------------------------------------------------------- commit 661017e03ef252c7156aa4ac31e9069187fcc12c Author: David Mitchell <da...@iabyn.com> Date: Mon May 8 21:06:38 2017 +0100 avoid a memory wrap in sv_vcatpvfn_flags() RT #131260 When calculating the new size of PL_efloatbuf, avoid wrapping 'need'. (cherry picked from commit ddb03b72f46eae3c278f28e8758e87b9c98c66a1) ----------------------------------------------------------------------- Summary of changes: sv.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/sv.c b/sv.c index 80bf2fe716..90b2ced327 100644 --- a/sv.c +++ b/sv.c @@ -12318,7 +12318,13 @@ Perl_sv_vcatpvfn_flags(pTHX_ SV *const sv, const char *const pat, const STRLEN p need = BIT_DIGITS(i); } /* if i < 0, the number of digits is hard to predict. */ } - need += has_precis ? precis : 6; /* known default */ + + { + STRLEN pr = has_precis ? precis : 6; /* known default */ + if (need >= ((STRLEN)~0) - pr) + croak_memory_wrap(); + need += pr; + } if (need < width) need = width; @@ -12389,10 +12395,12 @@ Perl_sv_vcatpvfn_flags(pTHX_ SV *const sv, const char *const pat, const STRLEN p #endif /* HAS_LDBL_SPRINTF_BUG */ - need += 20; /* fudge factor */ + if (need >= ((STRLEN)~0) - 40) + croak_memory_wrap(); + need += 40; /* fudge factor */ if (PL_efloatsize < need) { Safefree(PL_efloatbuf); - PL_efloatsize = need + 20; /* more fudge */ + PL_efloatsize = need; Newx(PL_efloatbuf, PL_efloatsize, char); PL_efloatbuf[0] = '\0'; } -- Perl5 Master Repository