(perl #131836) avoid a use-after-free after parsing a "sub" keyword

tonycoz · tonycoz · commit 3b8804a4c232 · 2017-08-28T16:05:47.000+10:00
The:

  d = skipspace(d);

can reallocate linestr in the test case, invalidating s.  This would
end up in PL_bufptr from the embedded (PL_bufptr = s) in the TOKEN()
macro.

Assigning s to PL_bufptr and restoring s from PL_bufptr allows
lex_next_chunk() to adjust the pointer to the reallocated buffer.
diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t
@@ -10,7 +10,7 @@ BEGIN {
 }
 
 require './test.pl';
-plan(2);
+plan(3);
 
 # [perl #130814] can reallocate lineptr while looking ahead for
 # "Missing $ on loop variable" diagnostic.
@@ -31,5 +31,13 @@ EOS
 Unrecognized character \xD5; marked by <-- HERE after ${ <-- HERE near column 4 at - line 1.
 EXPECT
 
+fresh_perl_is(<<'EOS', <<'EXPECTED', {}, "use after free (#131836)");
+${sub#xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+EOS
+Missing right curly or square bracket at - line 1, at end of line
+syntax error at - line 1, at EOF
+Execution of - aborted due to compilation errors.
+EXPECTED
+
 __END__
 # ex: set ts=8 sts=4 sw=4 et:
diff --git a/toke.c b/toke.c
@@ -6222,8 +6222,10 @@ Perl_yylex(pTHX)
 			break;
 		    }
 		    if (strEQs(s, "sub")) {
+                        PL_bufptr = s;
 			d = s + 3;
 			d = skipspace(d);
+                        s = PL_bufptr;
 			if (*d == ':') {
 			    PL_expect = XTERM;
 			    break;
