pp_multiconcat: don't set svpv_p to an invalid pointer

When svpv_base == svpv_buf, svpv_p would be set to point before the buffer, which is undefined. This appears to be what gcc 13 is complaining about in Perl#20678, despite that report including what appears to be a completely valid address, on a line where the value of svpv_p is now within the range of svpv_buf. An intermediate approach to this used: temp = svpv_p; if (svpv_p++ == svpv_end) break but this is also incorrect, since svpv_p would end up as an invalid pointer, though gcc UBSAN didn't pick that up. Fixes Perl#20678.
pjacklam · May 20, 2023 · f681104 · f681104
1 parent 9ce235d
commit f681104
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/pp_hot.c b/pp_hot.c
@@ -957,7 +957,7 @@ PP(pp_multiconcat)
         /* Note that we iterate the loop nargs+1 times: to append nargs
          * arguments and nargs+1 constant strings. For example, "-$a-$b-"
          */
-        svpv_p = svpv_base - 1;
+        svpv_p = svpv_base;
 
         for (;;) {
             SSize_t len = (const_lens++)->ssize;
@@ -969,7 +969,7 @@ PP(pp_multiconcat)
                 const_pv += len;
             }
 
-            if (++svpv_p == svpv_end)
+            if (svpv_p == svpv_end)
                 break;
 
             /* append next arg */
@@ -997,6 +997,7 @@ PP(pp_multiconcat)
                     targ_pv += len;
             }
 
+            ++svpv_p;
         }
     }