--- perl-5.22.3/regcomp.c.CVE_2017_12883 2017-10-03 12:52:36.563594539 +0300 +++ perl-5.22.3/regcomp.c 2017-10-03 12:59:33.274540405 +0300 @@ -11286,47 +11286,49 @@ * (enclosing in "(?: ... )" ). That way, it retains its atomicness, * while not having to worry about special handling that some code * points may have. */ substitute_parse = newSVpvs("?:"); while (RExC_parse < endbrace) { /* Convert to notation the rest of the code understands */ sv_catpv(substitute_parse, "\\x{"); sv_catpvn(substitute_parse, RExC_parse, endchar - RExC_parse); sv_catpv(substitute_parse, "}"); /* Point to the beginning of the next character in the sequence. */ RExC_parse = endchar + 1; endchar = RExC_parse + strcspn(RExC_parse, ".}"); } sv_catpv(substitute_parse, ")"); - RExC_parse = SvPV(substitute_parse, len); + len = SvCUR(substitute_parse); /* Don't allow empty number */ if (len < (STRLEN) 8) { RExC_parse = endbrace; vFAIL("Invalid hexadecimal number in \\N{U+...}"); } + + RExC_parse = SvPV_nolen(substitute_parse); RExC_end = RExC_parse + len; /* The values are Unicode, and therefore not subject to recoding, but * have to be converted to native on a non-Unicode (meaning non-ASCII) * platform. */ RExC_override_recoding = 1; #ifdef EBCDIC RExC_recode_x_to_native = 1; #endif if (node_p) { if (!(*node_p = reg(pRExC_state, 1, &flags, depth+1))) { if (flags & RESTART_UTF8) { *flagp = RESTART_UTF8; return FALSE; } FAIL2("panic: reg returned NULL to grok_bslash_N, flags=%#"UVxf"", (UV) flags); } *flagp |= flags&(HASWIDTH|SPSTART|SIMPLE|POSTPONED);