In perl.git, the branch maint-5.24 has been updated
<http://perl5.git.perl.org/perl.git/commitdiff/661017e03ef252c7156aa4ac31e9069187fcc12c?hp=7fd57da23ca822d3ac68a1e34b882cc9c594aaf5>
- Log -----------------------------------------------------------------
commit 661017e03ef252c7156aa4ac31e9069187fcc12c
Author: David Mitchell <da...@iabyn.com>
Date: Mon May 8 21:06:38 2017 +0100
avoid a memory wrap in sv_vcatpvfn_flags()
RT #131260
When calculating the new size of PL_efloatbuf, avoid wrapping 'need'.
(cherry picked from commit ddb03b72f46eae3c278f28e8758e87b9c98c66a1)
-----------------------------------------------------------------------
Summary of changes:
sv.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/sv.c b/sv.c
index 80bf2fe716..90b2ced327 100644
--- a/sv.c
+++ b/sv.c
@@ -12318,7 +12318,13 @@ Perl_sv_vcatpvfn_flags(pTHX_ SV *const sv, const char
*const pat, const STRLEN p
need = BIT_DIGITS(i);
} /* if i < 0, the number of digits is hard to predict. */
}
- need += has_precis ? precis : 6; /* known default */
+
+ {
+ STRLEN pr = has_precis ? precis : 6; /* known default */
+ if (need >= ((STRLEN)~0) - pr)
+ croak_memory_wrap();
+ need += pr;
+ }
if (need < width)
need = width;
@@ -12389,10 +12395,12 @@ Perl_sv_vcatpvfn_flags(pTHX_ SV *const sv, const char
*const pat, const STRLEN p
#endif /* HAS_LDBL_SPRINTF_BUG */
- need += 20; /* fudge factor */
+ if (need >= ((STRLEN)~0) - 40)
+ croak_memory_wrap();
+ need += 40; /* fudge factor */
if (PL_efloatsize < need) {
Safefree(PL_efloatbuf);
- PL_efloatsize = need + 20; /* more fudge */
+ PL_efloatsize = need;
Newx(PL_efloatbuf, PL_efloatsize, char);
PL_efloatbuf[0] = '\0';
}
--
Perl5 Master Repository
