From 014243a274e5fe909b0735ff5f198a4edc5f35c4 Mon Sep 17 00:00:00 2001
From: Reini Urban <rurban@x-ray.at>
Date: Tue, 29 May 2012 15:46:13 -0500
Subject: [PATCH] [perl #113060] Save cop_stashlen threaded even with shared
 cop pv

Perl_sv_compile_2op_is_broken() does at line 3354 a LEAVE_with_name("eval"),
a SSPOPSTR via SAVEt_SHARED_PVREF for the localized cop_stashpv, but
not for the cop_stashlen.
The cop in question is PL_compiling, which was "AutoSplit" before with
len=9 and restores it back to "main" but keeps len 9. Thus leading to a
heap-overflow in gv_stashpvn.
---
 scope.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scope.h b/scope.h
index aa04a79..38da244 100644
--- a/scope.h
+++ b/scope.h
@@ -237,7 +237,8 @@ scope has the given name. Name must be a literal string.
 #ifdef USE_ITHREADS
 #  define SAVECOPSTASH(c)	(SAVEPPTR(CopSTASHPV(c)), \
 				 SAVEI32(CopSTASH_len(c)))
-#  define SAVECOPSTASH_FREE(c)	SAVESHAREDPV(CopSTASHPV(c))
+#  define SAVECOPSTASH_FREE(c)	(SAVESHAREDPV(CopSTASHPV(c)), \
+	                         SAVEI32(CopSTASH_len(c)))
 #  define SAVECOPFILE(c)	SAVEPPTR(CopFILE(c))
 #  define SAVECOPFILE_FREE(c)	SAVESHAREDPV(CopFILE(c))
 #else
-- 
2.7.4