PATCH: [perl #134134] read beyond end of buffer

This turns out to be because of a special input case in myatof3(), wherein if the input length is 0, it call strlen to find the length. The solution is to add a test and not call the function unless the length is positive.
Perl · May 24, 2019 · 2d26cf4 · 2d26cf4
1 parent 2dd743b
commit 2d26cf4
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/regcomp.c b/regcomp.c
@@ -23428,10 +23428,12 @@ Perl_parse_uniprop_string(pTHX_
                  * NV. */
 
                 NV value;
+                SSize_t value_len = lookup_len - equals_pos;
 
                 /* Get the value */
-                if (my_atof3(lookup_name + equals_pos, &value,
-                             lookup_len - equals_pos)
+                if (   value_len <= 0
+                    || my_atof3(lookup_name + equals_pos, &value,
+                                value_len)
                           != lookup_name + lookup_len)
                 {
                     goto failed;