From: Dave Mitchell <davem@fdisolutions.com>
Date: Wed, 8 Nov 2006 19:13:57 +0000 (+0000)
Subject: [perl #40718] perl parser bug leading to memory corruption
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=0331ef07c86d2e7ed952b45f1b72f9cab35c4845;p=p5sagit%2Fp5-mst-13.2.git

[perl #40718] perl parser bug leading to memory corruption
quoted-string parser naughtily maintained a pointer into an SV
which could get realloc()ed.

p4raw-id: //depot/perl@29239
---

diff --git a/toke.c b/toke.c
index 9b48f96..9e0c08d 100644
--- a/toke.c
+++ b/toke.c
@@ -11471,7 +11471,7 @@ S_scan_str(pTHX_ char *start, int keep_quoted, int keep_delims)
     I32 termcode;			/* terminating char. code */
     U8 termstr[UTF8_MAXBYTES];		/* terminating string */
     STRLEN termlen;			/* length of terminating string */
-    char *last = NULL;			/* last position for nesting bracket */
+    int last_off = 0;			/* last position for nesting bracket */
 #ifdef PERL_MAD
     int stuffstart;
     char *tstart;
@@ -11572,9 +11572,7 @@ S_scan_str(pTHX_ char *start, int keep_quoted, int keep_delims)
 		    else {
 			const char *t;
 			char *w;
-			if (!last)
-			    last = SvPVX(sv);
-			for (t = w = last; t < svlast; w++, t++) {
+			for (t = w = SvPVX(sv)+last_off; t < svlast; w++, t++) {
 			    /* At here, all closes are "was quoted" one,
 			       so we don't check PL_multi_close. */
 			    if (*t == '\\') {
@@ -11593,7 +11591,7 @@ S_scan_str(pTHX_ char *start, int keep_quoted, int keep_delims)
 			    *w = '\0';
 			    SvCUR_set(sv, w - SvPVX_const(sv));
 			}
-			last = w;
+			last_off = w - SvPVX(sv);
 			if (--brackets <= 0)
 			    cont = FALSE;
 		    }