From 2a293b37996e3ccd2fdfcbafa0d1a9460b5bd599 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 28 Nov 2016 13:42:21 +0100
Subject: [PATCH] Fix crash in Storable when deserializing malformed code
 reference

---
 perl-5.25.7-Fix-Storable-segfaults.patch | 61 ++++++++++++++++++++++++
 perl.spec                                | 12 ++++-
 2 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 perl-5.25.7-Fix-Storable-segfaults.patch

diff --git a/perl-5.25.7-Fix-Storable-segfaults.patch b/perl-5.25.7-Fix-Storable-segfaults.patch
new file mode 100644
index 0000000..8934a13
--- /dev/null
+++ b/perl-5.25.7-Fix-Storable-segfaults.patch
@@ -0,0 +1,61 @@
+From fecd3be8dbdb747b9cbf4cbb9299ce40faabc8e6 Mon Sep 17 00:00:00 2001
+From: John Lightsey <lightsey@debian.org>
+Date: Mon, 14 Nov 2016 11:56:15 +0100
+Subject: [PATCH] Fix Storable segfaults.
+
+Fix a null pointed dereference segfault in storable when the
+retrieve_code logic was unable to read the string that contained
+the code.
+
+Also fix several locations where retrieve_other was called with a
+null context pointer. This also resulted in a null pointer
+dereference.
+---
+ dist/Storable/Storable.xs | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
+index 053951c..caa489c 100644
+--- a/dist/Storable/Storable.xs
++++ b/dist/Storable/Storable.xs
+@@ -5647,6 +5647,10 @@ static SV *retrieve_code(pTHX_ stcxt_t *cxt, const char *cname)
+ 		CROAK(("Unexpected type %d in retrieve_code\n", type));
+ 	}
+ 
++	if (!text) {
++		CROAK(("Unable to retrieve code\n"));
++	}
++
+ 	/*
+ 	 * prepend "sub " to the source
+ 	 */
+@@ -5767,7 +5771,7 @@ static SV *old_retrieve_array(pTHX_ stcxt_t *cxt, const char *cname)
+ 			continue;			/* av_extend() already filled us with undef */
+ 		}
+ 		if (c != SX_ITEM)
+-			(void) retrieve_other(aTHX_ (stcxt_t *) 0, 0);	/* Will croak out */
++			(void) retrieve_other(aTHX_ cxt, 0);	/* Will croak out */
+ 		TRACEME(("(#%d) item", i));
+ 		sv = retrieve(aTHX_ cxt, 0);						/* Retrieve item */
+ 		if (!sv)
+@@ -5844,7 +5848,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname)
+ 			if (!sv)
+ 				return (SV *) 0;
+ 		} else
+-			(void) retrieve_other(aTHX_ (stcxt_t *) 0, 0);	/* Will croak out */
++			(void) retrieve_other(aTHX_ cxt, 0);	/* Will croak out */
+ 
+ 		/*
+ 		 * Get key.
+@@ -5855,7 +5859,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname)
+ 
+ 		GETMARK(c);
+ 		if (c != SX_KEY)
+-			(void) retrieve_other(aTHX_ (stcxt_t *) 0, 0);	/* Will croak out */
++			(void) retrieve_other(aTHX_ cxt, 0);	/* Will croak out */
+ 		RLEN(size);						/* Get key size */
+ 		KBUFCHK((STRLEN)size);					/* Grow hash key read pool if needed */
+ 		if (size)
+-- 
+2.10.2
+
diff --git a/perl.spec b/perl.spec
index faad7f7..93fc725 100644
--- a/perl.spec
+++ b/perl.spec
@@ -28,7 +28,7 @@
 Name:           perl
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        380%{?dist}
+Release:        381%{?dist}
 Epoch:          %{perl_epoch}
 Summary:        Practical Extraction and Report Language
 Group:          Development/Languages
@@ -219,6 +219,10 @@ Patch57:        perl-5.25.6-perl-130001-h2xs-avoid-infinite-loop-for-enums.patch
 # in upstream after 5.25.6
 Patch58:        perl-5.24.0-perl-129130-make-chdir-allocate-the-stack-it-needs.patch
 
+# Fix crash in Storable when deserializing malformed code reference, RT#68348,
+# RT130098
+Patch59:        perl-5.25.7-Fix-Storable-segfaults.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -2903,6 +2907,7 @@ Perl extension for Version Objects
 %patch56 -p1
 %patch57 -p1
 %patch58 -p1
+%patch59 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -2952,6 +2957,7 @@ perl -x patchlevel.h \
     'Fedora Patch56: Fix firstchar bitmap under UTF-8 with prefix optimization (RT#129950)' \
     'Fedora Patch57: Avoid infinite loop in h2xs tool if enum and type have the same name (RT130001)' \
     'Fedora Patch58: Fix stack handling when calling chdir without an argument (RT#129130)' \
+    'Fedora Patch59: Fix crash in Storable when deserializing malformed code reference (RT#68348, RT#130098)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -5230,6 +5236,10 @@ popd
 
 # Old changelog entries are preserved in CVS.
 %changelog
+* Mon Nov 28 2016 Petr Pisar <ppisar@redhat.com> - 4:5.24.0-381
+- Fix crash in Storable when deserializing malformed code reference
+  (RT#68348, RT#130098)
+
 * Wed Nov 09 2016 Petr Pisar <ppisar@redhat.com> - 4:5.24.0-380
 - Tie perl-Errno release to interpreter build because of kernel version check
   (bug #1393421)