From 148d5a6bc6c10ae71c305cea901c29bf2b515b8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Tue, 12 Nov 2019 17:18:17 +0100 Subject: [PATCH] Fix a buffer overread in when parsing a number --- ...ng-updated-without-len-being-updated.patch | 47 +++++++++++++++++++ perl.spec | 7 +++ 2 files changed, 54 insertions(+) create mode 100644 perl-5.30.1-handle-s-being-updated-without-len-being-updated.patch diff --git a/perl-5.30.1-handle-s-being-updated-without-len-being-updated.patch b/perl-5.30.1-handle-s-being-updated-without-len-being-updated.patch new file mode 100644 index 0000000..9f3e11d --- /dev/null +++ b/perl-5.30.1-handle-s-being-updated-without-len-being-updated.patch @@ -0,0 +1,47 @@ +From a0148bb8496444302b087bc0ffcf8dad42f8e475 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Mon, 11 Nov 2019 14:43:42 +1100 +Subject: [PATCH] handle s being updated without len being updated +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +fix #17279 + +Petr Písař: Ported to 5.30.1 from +e56dfd967ce460481a9922d14e931b438548093d. + +Signed-off-by: Petr Písař +--- + numeric.c | 2 +- + t/lib/croak/regcomp | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/numeric.c b/numeric.c +index d6ce53e..35adebe 100644 +--- a/numeric.c ++++ b/numeric.c +@@ -1552,7 +1552,7 @@ Perl_my_atof3(pTHX_ const char* orig, NV* value, const STRLEN len) + /* strtold() accepts 0x-prefixed hex and in POSIX implementations, + 0b-prefixed binary numbers, which is backward incompatible + */ +- if ((len == 0 || len >= 2) && *s == '0' && ++ if ((len == 0 || len - (s-orig) >= 2) && *s == '0' && + (isALPHA_FOLD_EQ(s[1], 'x') || isALPHA_FOLD_EQ(s[1], 'b'))) { + *value = 0; + return (char *)s+1; +diff --git a/t/lib/croak/regcomp b/t/lib/croak/regcomp +index 0ba705e..c0c2710 100644 +--- a/t/lib/croak/regcomp ++++ b/t/lib/croak/regcomp +@@ -70,3 +70,7 @@ qr/((a))/; + EXPECT + Too many nested open parens in regex; marked by <-- HERE in m/(( <-- HERE a))/ at - line 3. + ######## ++# NAME numeric parsing buffer overflow in numeric.c ++0=~/\p{nV:-0}/ ++EXPECT ++Can't find Unicode property definition "nV:-0" in regex; marked by <-- HERE in m/\p{nV:-0} <-- HERE / at - line 1. +-- +2.21.0 + diff --git a/perl.spec b/perl.spec index 30f819a..4a7842b 100644 --- a/perl.spec +++ b/perl.spec @@ -284,6 +284,10 @@ Patch69: perl-5.31.5-toke.c-comment-changes.patch # Fix a race in File::stat() tests, GH#17234, in upstream after 5.31.5 Patch70: perl-5.31.5-prevent-a-race-between-name-based-stat-and-an-open-m.patch +# Fix a buffer overread in when parsing a number, GH#17279, +# in upstream after 5.31.5 +Patch71: perl-5.30.1-handle-s-being-updated-without-len-being-updated.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2875,6 +2879,7 @@ rm -rf .git # Perl tests examine a git repository %patch68 -p1 %patch69 -p1 %patch70 -p1 +%patch71 -p1 %patch200 -p1 %patch201 -p1 @@ -2940,6 +2945,7 @@ perl -x patchlevel.h \ 'Fedora Patch68: Fix an unintended upgrade to UTF-8 in the middle of a transliteration' \ 'Fedora Patch69: Fix an unintended upgrade to UTF-8 in the middle of a transliteration' \ 'Fedora Patch70: Fix a race in File::stat() tests (GH#17234)' \ + 'Fedora Patch71: Fix a buffer overread in when parsing a number (GH#17279)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5192,6 +5198,7 @@ popd - Fix handling a layer argument in Tie::StdHandle::BINMODE() (RT#132475) - Fix an unintended upgrade to UTF-8 in the middle of a transliteration - Fix a race in File::stat() tests (GH#17234) +- Fix a buffer overread in when parsing a number (GH#17279) * Mon Nov 11 2019 Jitka Plesnikova - 4:5.30.1-447 - 5.30.1 bump (see