683572
From a0148bb8496444302b087bc0ffcf8dad42f8e475 Mon Sep 17 00:00:00 2001
683572
From: Tony Cook <tony@develop-help.com>
683572
Date: Mon, 11 Nov 2019 14:43:42 +1100
683572
Subject: [PATCH] handle s being updated without len being updated
683572
MIME-Version: 1.0
683572
Content-Type: text/plain; charset=UTF-8
683572
Content-Transfer-Encoding: 8bit
683572
683572
fix #17279
683572
683572
Petr Písař: Ported to 5.30.1 from
683572
e56dfd967ce460481a9922d14e931b438548093d.
683572
683572
Signed-off-by: Petr Písař <ppisar@redhat.com>
683572
---
683572
 numeric.c           | 2 +-
683572
 t/lib/croak/regcomp | 4 ++++
683572
 2 files changed, 5 insertions(+), 1 deletion(-)
683572
683572
diff --git a/numeric.c b/numeric.c
683572
index d6ce53e..35adebe 100644
683572
--- a/numeric.c
683572
+++ b/numeric.c
683572
@@ -1552,7 +1552,7 @@ Perl_my_atof3(pTHX_ const char* orig, NV* value, const STRLEN len)
683572
         /* strtold() accepts 0x-prefixed hex and in POSIX implementations,
683572
            0b-prefixed binary numbers, which is backward incompatible
683572
         */
683572
-        if ((len == 0 || len >= 2) && *s == '0' &&
683572
+        if ((len == 0 || len - (s-orig) >= 2) && *s == '0' &&
683572
             (isALPHA_FOLD_EQ(s[1], 'x') || isALPHA_FOLD_EQ(s[1], 'b'))) {
683572
             *value = 0;
683572
             return (char *)s+1;
683572
diff --git a/t/lib/croak/regcomp b/t/lib/croak/regcomp
683572
index 0ba705e..c0c2710 100644
683572
--- a/t/lib/croak/regcomp
683572
+++ b/t/lib/croak/regcomp
683572
@@ -70,3 +70,7 @@ qr/((a))/;
683572
 EXPECT
683572
 Too many nested open parens in regex; marked by <-- HERE in m/(( <-- HERE a))/ at - line 3.
683572
 ########
683572
+# NAME numeric parsing buffer overflow in numeric.c
683572
+0=~/\p{nV:-0}/
683572
+EXPECT
683572
+Can't find Unicode property definition "nV:-0" in regex; marked by <-- HERE in m/\p{nV:-0} <-- HERE / at - line 1.
683572
-- 
683572
2.21.0
683572