Fix edge cases in pp_getc and pp_tell where the stack extent was not checked.

Both conditionally POP a GV from the stack, but always PUSH a return value to
it. For the case where they did not POP the GV, they made no check that the
stack had space for the PUSH. This bug has been present since perl 5.000.

diff --git a/pp_sys.c b/pp_sys.c
index 59ec533..9d4887f 100644 (file)
--- a/pp_sys.c
+++ b/pp_sys.c
@@ -1194,6 +1194,9 @@ PP(pp_getc)
     IO *io = NULL;
     GV * const gv = (MAXARG==0) ? PL_stdingv : MUTABLE_GV(POPs);
 
+    if (MAXARG == 0)
+       EXTEND(SP, 1);
+
     if (gv && (io = GvIO(gv))) {
        MAGIC * const mg = SvTIED_mg((const SV *)io, PERL_MAGIC_tiedscalar);
        if (mg) {
@@ -2067,6 +2070,8 @@ PP(pp_tell)
 
     if (MAXARG != 0)
        PL_last_in_gv = MUTABLE_GV(POPs);
+    else
+       EXTEND(SP, 1);
     gv = PL_last_in_gv;
 
     if (gv && (io = GvIO(gv))) {