handle s being updated without len being updated

tonycoz · tonycoz · commit e56dfd967ce4 · 2019-11-12T07:46:10.000+11:00
fix #17279
diff --git a/numeric.c b/numeric.c
@@ -1560,7 +1560,7 @@ Perl_my_atof3(pTHX_ const char* orig, NV* value, const STRLEN len)
         /* strtold() accepts 0x-prefixed hex and in POSIX implementations,
            0b-prefixed binary numbers, which is backward incompatible
         */
-        if ((len == 0 || len >= 2) && *s == '0' &&
+        if ((len == 0 || len - (s-orig) >= 2) && *s == '0' &&
             (isALPHA_FOLD_EQ(s[1], 'x') || isALPHA_FOLD_EQ(s[1], 'b'))) {
             *value = 0;
             return (char *)s+1;
diff --git a/t/lib/croak/regcomp b/t/lib/croak/regcomp
@@ -79,3 +79,8 @@ EXPECT
 $x =~ /(?<=a\Ka)a/;
 EXPECT
 \K not permitted in lookahead/lookbehind in regex; marked by <-- HERE in m/(?<=a\K <-- HERE a)a/ at - line 1.
+########
+# NAME numeric parsing buffer overflow in numeric.c
+0=~/\p{nV:-0}/
+EXPECT
+Can't find Unicode property definition "nV:-0" in regex; marked by <-- HERE in m/\p{nV:-0} <-- HERE / at - line 1.
