From cd6b0f4e030d55ff077e9bc8fbcf156ab79dceb1 Mon Sep 17 00:00:00 2001 From: Tony Cook Date: Wed, 7 Sep 2016 16:51:39 +1000 Subject: [PATCH] (perl #129149) avoid a heap buffer overflow with pack "W"... MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Petr Písař: Ported to 5.24.4: From bf4a926a29374161655548b149d1cb37300bcc05 Mon Sep 17 00:00:00 2001 From: Tony Cook Date: Wed, 7 Sep 2016 16:51:39 +1000 Subject: [PATCH] (perl #129149) avoid a heap buffer overflow with pack "W"... Signed-off-by: Petr Písař --- pp_pack.c | 2 +- t/op/pack.t | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/pp_pack.c b/pp_pack.c index c0de5ab..29fdb01 100644 --- a/pp_pack.c +++ b/pp_pack.c @@ -2598,7 +2598,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist ) if (in_bytes) auv = auv % 0x100; if (utf8) { W_utf8: - if (cur > end) { + if (cur >= end) { *cur = '\0'; SvCUR_set(cat, cur - start); diff --git a/t/op/pack.t b/t/op/pack.t index a480c3a..cf5ae78 100644 --- a/t/op/pack.t +++ b/t/op/pack.t @@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' : my $no_signedness = $] > 5.009 ? '' : "Signed/unsigned pack modifiers not available on this perl"; -plan tests => 14716; +plan tests => 14717; use strict; use warnings qw(FATAL all); @@ -2066,3 +2066,14 @@ SKIP: fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 }, "integer overflow calculating allocation (multiply)"); } + +{ + # [perl #129149] the code below would write one past the end of the output + # buffer, only detected by ASAN, not by valgrind + $Config{ivsize} >= 8 + or skip "[perl #129149] need 64-bit for this test", 1; + fresh_perl_is(<<'EOS', "ok\n", { stderr => 1 }, "pack W overflow"); +print pack("ucW", "0000", 0, 140737488355327) eq "\$,#`P,```\n\0\x{7fffffffffff}" + ? "ok\n" : "not ok\n"; +EOS +} -- 2.14.3