diff options
author | David Leadbeater <dgl@dgl.cx> | 2011-05-14 13:57:21 +0100 |
---|---|---|
committer | Leon Brocard <acme@astray.com> | 2011-06-01 08:49:14 +0100 |
commit | f59d24d8aa7da6eb41d6cb93ad3683ac1fb1db17 (patch) | |
tree | 994d6a18519ad3706a119cd77075e8eee76dd0d7 /toke.c | |
parent | af021af6468a4ef90c28f5220360c0c329c195f1 (diff) | |
download | perl-f59d24d8aa7da6eb41d6cb93ad3683ac1fb1db17.tar.gz |
scan_heredoc could reallocate PL_parser->linestr's PV
Since f0e67a1 it was possible the freed buffer may be read from when
parsing a heredoc. This adds a call to lex_grow_linestr to grow the
buffer and ensure the pointers in PL_parser are updated.
The bug is pretty hard to reproduce, hence no test. I'm able to
reproduce it with the following:
perl -Meverywhere=re,debug -MParams::Util -e1
(cherry picked from commit 37c6a70c7d35357916da21616c68e56c878a5bd2)
Diffstat (limited to 'toke.c')
-rw-r--r-- | toke.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -12373,6 +12373,7 @@ S_scan_heredoc(pTHX_ register char *s) if (*s == term && memEQ(s,PL_tokenbuf,len)) { STRLEN off = PL_bufend - 1 - SvPVX_const(PL_linestr); *(SvPVX(PL_linestr) + off ) = ' '; + lex_grow_linestr(SvCUR(PL_linestr) + SvCUR(herewas) + 1); sv_catsv(PL_linestr,herewas); PL_bufend = SvPVX(PL_linestr) + SvCUR(PL_linestr); s = SvPVX(PL_linestr) + off; /* In case PV of PL_linestr moved. */ |