Fix a crash with a tainted formline() picture

A private (tainted) string did not get its share of space in the destination string, causing a buffer overflow later. Originally reported by Roland Kuhn as http://bugs.debian.org/575318
Perl · Nov 15, 2010 · 7e6078c · 7e6078c
1 parent 9733086
commit 7e6078c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/pp_ctl.c b/pp_ctl.c
@@ -504,7 +504,7 @@ PP(pp_formline)
     NV value;
     bool gotsome = FALSE;
     STRLEN len;
-    const STRLEN fudge = SvPOK(tmpForm)
+    const STRLEN fudge = SvPOKp(tmpForm)
 			? (SvCUR(tmpForm) * (IN_BYTES ? 1 : 3) + 1) : 0;
     bool item_is_utf8 = FALSE;
     bool targ_is_utf8 = FALSE;

diff --git a/t/op/taint.t b/t/op/taint.t
@@ -17,7 +17,7 @@ use Config;
 use File::Spec::Functions;
 
 BEGIN { require './test.pl'; }
-plan tests => 325;
+plan tests => 326;
 
 $| = 1;
 
@@ -1396,6 +1396,13 @@ foreach my $ord (78, 163, 256) {
     ok(!tainted($untainted), '$untainted should yet still be untainted');
 }
 
+{
+    fresh_perl_is(<<'end', "ok", { switches => [ '-T' ] },
+    $TAINT = substr($^X, 0, 0);
+    formline('@'.('<'x("21".$TAINT)).' | @*', 'hallo', 'welt'); print "ok";
+end
+    "formline survives a tainted dynamic picture");
+}
 
 # This may bomb out with the alarm signal so keep it last
 SKIP: {