In perl.git, the branch maint-5.28 has been updated <https://perl5.git.perl.org/perl.git/commitdiff/c12901e13e2df1d8ea437a99f39fdcb9209f2edf?hp=5aacb4d4c7f0410dfb10e7f5990a07c3c9b42ab8>
- Log ----------------------------------------------------------------- commit c12901e13e2df1d8ea437a99f39fdcb9209f2edf Author: Tony Cook <[email protected]> Date: Mon Aug 20 16:31:45 2018 +1000 (perl #132655) nul terminate result of unpack "u" of invalid data In the given test case, Perl_atof2() would run off the end of the PV, producing an error from ASAN. (cherry picked from commit 12cad9bd99725bba72029e2651b2b7f0cab2e0b0) ----------------------------------------------------------------------- Summary of changes: pp_pack.c | 5 ++++- t/op/pack.t | 9 ++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/pp_pack.c b/pp_pack.c index 5e9cc64301..f8be9d48ae 100644 --- a/pp_pack.c +++ b/pp_pack.c @@ -1727,7 +1727,10 @@ S_unpack_rec(pTHX_ tempsym_t* symptr, const char *s, const char *strbeg, const c if (!checksum) { const STRLEN l = (STRLEN) (strend - s) * 3 / 4; sv = sv_2mortal(newSV(l)); - if (l) SvPOK_on(sv); + if (l) { + SvPOK_on(sv); + *SvEND(sv) = '\0'; + } } /* Note that all legal uuencoded strings are ASCII printables, so diff --git a/t/op/pack.t b/t/op/pack.t index cf0e286509..bb9f865091 100644 --- a/t/op/pack.t +++ b/t/op/pack.t @@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' : my $no_signedness = $] > 5.009 ? '' : "Signed/unsigned pack modifiers not available on this perl"; -plan tests => 14717; +plan tests => 14718; use strict; use warnings qw(FATAL all); @@ -2081,3 +2081,10 @@ SKIP: fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 }, "integer overflow calculating allocation (multiply)"); } + +{ + # [perl #132655] heap-buffer-overflow READ of size 11 + # only expect failure under ASAN (and maybe valgrind) + fresh_perl_is('0.0 + unpack("u", "ab")', "", { stderr => 1 }, + "ensure unpack u of invalid data nul terminates result"); +} -- Perl5 Master Repository
