From 3424efe3eae609b9787fcd80f6f66b5e8f00272a Mon Sep 17 00:00:00 2001
From: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
Date: Wed, 17 Aug 2011 00:21:57 +0100
Subject: [PATCH] Fix decode_xs n-byte heap-overflow security bug in
 Unicode.xs

---
 ext/Encode/Unicode/Unicode.xs |    5 +++-
 3 files changed, 9 insertions(+), 57 deletions(-)

diff --git a/ext/Encode/Unicode/Unicode.xs b/ext/Encode/Unicode/Unicode.xs
index 1f041d4..92005db 100644
--- a/ext/Encode/Unicode/Unicode.xs
+++ b/ext/Encode/Unicode/Unicode.xs
@@ -246,7 +246,10 @@ CODE:
 	       This prevents allocating too much in the rogue case of a large
 	       input consisting initially of long sequence uft8-byte unicode
 	       chars followed by single utf8-byte chars. */
-	    STRLEN remaining = (e - s)/usize;
+            /* +1 
+               fixes  Unicode.xs!decode_xs n-byte heap-overflow
+              */
+	    STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
 	    STRLEN max_alloc = remaining + (8*1024*1024);
 	    STRLEN est_alloc = remaining * UTF8_MAXLEN;
 	    STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
-- 
1.7.5.4