Fix a null-pointer dereference on malformed code

2017-03-08 10:55:17 +01:00 · 2017-03-08 10:55:17 +01:00 · 2f5d87ed75
commit 2f5d87ed75
parent b39bdfd34d
2 changed files with 82 additions and 1 deletions
--- a/perl-5.24.1-perl-130815-fix-ck_return-null-pointer-deref-on-malf.patch
+++ b/perl-5.24.1-perl-130815-fix-ck_return-null-pointer-deref-on-malf.patch
@ -0,0 +1,72 @@
+From be05b2f7a801ae1721641fd240e0d7d6fc018136 Mon Sep 17 00:00:00 2001
+From: Aaron Crane <arc@cpan.org>
+Date: Sun, 19 Feb 2017 12:26:54 +0000
+Subject: [PATCH] fix ck_return null-pointer deref on malformed code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported to 5.24.1:
+
+commit e5c165a0b7551ffb94661aa7f18aabadba257782
+Author: Aaron Crane <arc@cpan.org>
+Date:   Sun Feb 19 12:26:54 2017 +0000
+
+    [perl #130815] fix ck_return null-pointer deref on malformed code
+
+commit 9de2a80ffc0eefb4d60e13766baf4bad129e0a92
+Author: David Mitchell <davem@iabyn.com>
+Date:   Sun Feb 19 12:36:58 2017 +0000
+
+    bump test count in t/comp/parser.t
+
+    (the previous commit forgot to)
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ op.c            | 2 +-
+ t/comp/parser.t | 8 +++++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/op.c b/op.c
+index 018d90c..9a61ea7 100644
+--- a/op.c
+++ b/op.c
+@@ -10695,7 +10695,7 @@ Perl_ck_return(pTHX_ OP *o)
+     PERL_ARGS_ASSERT_CK_RETURN;
+ 
+     kid = OpSIBLING(cLISTOPo->op_first);
+-    if (CvLVALUE(PL_compcv)) {
+    if (PL_compcv && CvLVALUE(PL_compcv)) {
+ 	for (; kid; kid = OpSIBLING(kid))
+ 	    op_lvalue(kid, OP_LEAVESUBLV);
+     }
+diff --git a/t/comp/parser.t b/t/comp/parser.t
+index 50f601c..5016509 100644
+--- a/t/comp/parser.t
+++ b/t/comp/parser.t
+@@ -8,7 +8,7 @@ BEGIN {
+     chdir 't' if -d 't';
+ }
+ 
+-print "1..173\n";
+print "1..174\n";
+ 
+ sub failed {
+     my ($got, $expected, $name) = @_;
+@@ -546,6 +546,12 @@ eval "grep+grep";
+ eval 'qq{@{0]}${}},{})';
+ is(1, 1, "RT #124207");
+ 
+# RT #130815: crash in ck_return for malformed code
+{
+    eval 'm(@{if(0){sub d{]]])}return';
+    like $@, qr/^syntax error at \(eval \d+\) line 1, near "\{\]"/,
+        'RT #130815: null pointer deref';
+}
+ 
+ # Add new tests HERE (above this line)
+ 
+-- 
+2.7.4
+
--- a/perl.spec
+++ b/perl.spec
@ -28,7 +28,7 @@
 Name:           perl
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        389%{?dist}
+Release:        390%{?dist}
 Epoch:          %{perl_epoch}
 Summary:        Practical Extraction and Report Language
 Group:          Development/Languages
@ -301,6 +301,10 @@ Patch85:        perl-5.24.1-fix-pad-scope-issue-in-re_evals.patch
 # in upstream after 5.25.9
 Patch86:        perl-5.25.9-avoid-a-leak-in-list-assign-from-to-magic-values.patch

+# Fix a null-pointer dereference on malformed code, RT#130815,
+# in upstream after 5.25.9
+Patch87:        perl-5.24.1-perl-130815-fix-ck_return-null-pointer-deref-on-malf.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch

@ -3013,6 +3017,7 @@ popd
 %patch84 -p1
 %patch85 -p1
 %patch86 -p1
+%patch87 -p1
 %patch200 -p1
 %patch201 -p1

@ -3084,6 +3089,7 @@ perl -x patchlevel.h \
    'Fedora Patch83: Fix a buffer overflow when studying some regexps repeatedly (RT#129281, RT#129061)' \
    'Fedora Patch85: Fix a heap buffer overflow when evaluating regexps with embedded code blocks from more than one source, RT#129881' \
    'Fedora Patch86: Fix a memory leak in list assignment from or to magic values, (RT#130766)' \
+    'Fedora Patch87: Fix a null-pointer dereference on malformed code (RT#130815)' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    %{nil}
@ -5360,6 +5366,9 @@ popd

 # Old changelog entries are preserved in CVS.
 %changelog
+* Wed Mar 08 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-390
+- Fix a null-pointer dereference on malformed code (RT#130815)
+
 * Fri Feb 17 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-389
 - Adapt Compress::Raw::Zlib to zlib-1.2.11 (bug #1420326)
 - Fix a heap buffer overflow when evaluating regexps with embedded code blocks