scan_heredoc could reallocate PL_parser->linestr's PV

Since f0e67a1 it was possible the freed buffer may be read from when
parsing a heredoc. This adds a call to lex_grow_linestr to grow the
buffer and ensure the pointers in PL_parser are updated.

The bug is pretty hard to reproduce, hence no test. I'm able to
reproduce it with the following:

  perl -Meverywhere=re,debug -MParams::Util -e1

diff --git a/toke.c b/toke.c
index 0f08d42..358f322 100644 (file)
--- a/toke.c
+++ b/toke.c
@@ -9443,6 +9443,7 @@ S_scan_heredoc(pTHX_ register char *s)
        if (*s == term && memEQ(s,PL_tokenbuf,len)) {
            STRLEN off = PL_bufend - 1 - SvPVX_const(PL_linestr);
            *(SvPVX(PL_linestr) + off ) = ' ';
+           lex_grow_linestr(SvCUR(PL_linestr) + SvCUR(herewas) + 1);
            sv_catsv(PL_linestr,herewas);
            PL_bufend = SvPVX(PL_linestr) + SvCUR(PL_linestr);
            s = SvPVX(PL_linestr) + off; /* In case PV of PL_linestr moved. */