Fix a buffer overwrite in parse_stream() with wide characters on the standard input

XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch

@@ -0,0 +1,64 @@
+From 53e71571fc0b1f8dbad5f7ff6e9eeeb233496c13 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 13 Dec 2018 13:05:07 +0100
+Subject: [PATCH] Fix a buffer overwrite in parse_stream()
+
+The parse_stream() function allocates BUFSIZE-byte long output buffer. Then it
+reads a string using PerlIO's read() with a maximal string length tsiz=BUFSIZE
+characters into a temporary buffer. And then it retrieves a length of the string
+in the temporary buffer in bytes and copies the strings from the temporary
+buffer to the output buffer.
+
+While it works for byte-stream file handles, when using UTF-8 handles, length
+in bytes can be greater than length in characters, thus the temporary buffer
+can contain more bytes than the size of the output buffer and we have a buffer
+overwrite. This corrupts memory, especially metadata for libc memory
+management and subsequent free() aborts with "free(): invalid next size
+(normal)".
+
+Minimal reproducer: Execute this code with an UTF-8 encoded file with non-ASCII
+charcters on the standard input:
+
+use XML::XPath;
+use open ':std', ':encoding(UTF-8)';
+my $xpath = XML::XPath->new(ioref => \*STDIN);
+$xpath->find('/');
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1473368
+https://bugzilla.redhat.com/show_bug.cgi?id=1658512
+---
+ Expat/Expat.xs | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/Expat/Expat.xs b/Expat/Expat.xs
+index ed66531..dbad380 100644
+--- a/Expat/Expat.xs
++++ b/Expat/Expat.xs
+@@ -343,8 +343,8 @@ parse_stream(XML_Parser parser, SV * ioref)
+   }
+   else {
+     tbuff = newSV(0);
+-    tsiz = newSViv(BUFSIZE);
+-    buffsize = BUFSIZE;
++    tsiz = newSViv(BUFSIZE); /* in UTF-8 characters */
++    buffsize = BUFSIZE * 6; /* in bytes that encode an UTF-8 string */
+   }
+ 
+   while (! done)
+@@ -386,9 +386,11 @@ parse_stream(XML_Parser parser, SV * ioref)
+ 	  croak("read error");
+ 
+ 	tb = SvPV(tbuff, br);
+-	if (br > 0)
++	if (br > 0) {
++	  if (br > buffsize)
++	    croak("The input buffer is not large enough for read UTF-8 decoded string");
+ 	  Copy(tb, buffer, br, char);
+-	else
++	} else
+ 	  done = 1;
+ 
+ 	PUTBACK ;
+-- 
+2.18.1
+

perl-XML-Parser.spec

@@ -1,11 +1,14 @@
 Name:           perl-XML-Parser
 Version:        2.44
-Release:        13%{?dist}
+Release:        14%{?dist}
 Summary:        Perl module for parsing XML documents
 
 License:        GPL+ or Artistic
 Url:            https://metacpan.org/release/XML-Parser
 Source0:        https://cpan.metacpan.org/authors/id/T/TO/TODDR/XML-Parser-%{version}.tar.gz
+# Fix a buffer overwrite in parse_stream() with wide characters on the standard
+# input, bug #1473368, CPAN RT#128006
+Patch0:         XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch
 
 BuildRequires:  coreutils
 BuildRequires:  findutils
@@ -56,6 +59,7 @@ creation time.
 
 %prep
 %setup -q -n XML-Parser-%{version} 
+%patch0 -p1
 chmod 644 samples/{canonical,xml*}
 perl -pi -e 's|^#!/usr/local/bin/perl\b|#!%{__perl}|' samples/{canonical,xml*}
 
@@ -89,6 +93,10 @@ make test
 
 
 %changelog
+* Thu Dec 13 2018 Petr Pisar <ppisar@redhat.com> - 2.44-14
+- Fix a buffer overwrite in parse_stream() with wide characters on the standard
+  input (bug #1473368)
+
 * Mon Jul 23 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-13
 - Specify all dependencies