PATCH: [perl #133876] Write out of bounds

This was caused by a lapse on my part about the inputs to this function that grows memory. I was thinking the trailing NUL was included, but it's not. This patch adds space for that to all calls of sv_utf8_upgrade_flags_grow() in the file. But it occurs to me that maybe the function itself should just add one instead of having the caller do it. If you think so, let me know.
2026-01-26 16:39:36 +00:00 · 2019-03-08 10:01:48 -07:00 · 2019-03-08 10:01:48 -07:00 · 56e36cbf2f
commit 56e36cbf2f
parent ff736663d5
2 changed files with 8 additions and 4 deletions
--- a/pp.c
+++ b/pp.c
@ -4300,7 +4300,8 @@ PP(pp_uc)
 		    SvCUR_set(dest, len);
 		    len = sv_utf8_upgrade_flags_grow(dest,
 						SV_GMAGIC|SV_FORCE_UTF8_UPGRADE,
-						extra);
+                                                extra
+                                              + 1 /* trailing NUL */ );
 		    d = (U8*)SvPVX(dest) + len;

                    /* Now process the remainder of the source, simultaneously
@ -4434,7 +4435,8 @@ PP(pp_lc)
             * when converted to UTF-8 */
            sv_utf8_upgrade_flags_grow(dest, 0, len
                                              + I_count
-                                              + variant_under_utf8_count(s, send));
+                                              + variant_under_utf8_count(s, send)
+                                              + 1 /* Trailing NUL */ );
            d = (U8*)SvPVX(dest);
            has_turkic_I = TRUE;
        }
@ -4803,7 +4805,8 @@ PP(pp_fc)
                    SvCUR_set(dest, len);
                    len = sv_utf8_upgrade_flags_grow(dest,
                                                SV_GMAGIC|SV_FORCE_UTF8_UPGRADE,
-                                                extra);
+                                                extra
+                                              + 1 /* Trailing NUL */ );
                    d = (U8*)SvPVX(dest) + len;

                    *d++ = UTF8_TWO_BYTE_HI(GREEK_SMALL_LETTER_MU);
--- a/t/uni/upper.t
+++ b/t/uni/upper.t
@ -11,8 +11,9 @@ use feature 'unicode_strings';

 is(uc("\x{3B1}\x{345}\x{301}"), "\x{391}\x{301}\x{399}",
                                                   'Verify moves YPOGEGRAMMENI');
+fresh_perl_is('use 5.026;m.\U00ÿÿ0000.', "", {}, "[perl #133876]  This caused valgrind and asan errors");

-casetest( 1,	# extra tests already run
+casetest( 2,	# extra tests already run
 	"Uppercase_Mapping",
 	 uc                        => sub { uc $_[0] },
 	 uc_with_appended_null_arg => sub { my $a = ""; uc ($_[0] . $a) }