diff --git a/perl-5.24.1-perl-129281-test-for-buffer-overflow-issue.patch b/perl-5.24.1-perl-129281-test-for-buffer-overflow-issue.patch new file mode 100644 index 0000000..30397b5 --- /dev/null +++ b/perl-5.24.1-perl-129281-test-for-buffer-overflow-issue.patch @@ -0,0 +1,49 @@ +From 92f8cd4e7b0ff3d09162139e3c99b1d9310bca81 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Mon, 10 Oct 2016 10:46:46 +1100 +Subject: [PATCH] (perl #129281) test for buffer overflow issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported to 5.24.1: + +commit d2ba660af00f1bf2e7012741615eff7c19f29707 +Author: Tony Cook +Date: Mon Oct 10 10:46:46 2016 +1100 + + (perl #129281) test for buffer overflow issue + +Signed-off-by: Petr Písař +--- + t/re/pat.t | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/t/re/pat.t b/t/re/pat.t +index 749edd0..7b8e6f7 100644 +--- a/t/re/pat.t ++++ b/t/re/pat.t +@@ -23,7 +23,7 @@ BEGIN { + skip_all_without_unicode_tables(); + } + +-plan tests => 792; # Update this when adding/deleting tests. ++plan tests => 793; # Update this when adding/deleting tests. + + run_tests() unless caller; + +@@ -1779,6 +1779,11 @@ EOP + }msx, { stderr => 1 }, "Offsets in debug output are not negative"); + } + } ++ { ++ # [perl #129281] buffer write overflow, detected by ASAN, valgrind ++ local $::TODO = "whilem_c bumped too much"; ++ fresh_perl_is('/0(?0)|^*0(?0)|^*(^*())0|/', '', {}, "don't bump whilem_c too much"); ++ } + } # End of sub run_tests + + 1; +-- +2.7.4 + diff --git a/perl-5.25.9-perl-129061-CURLYX-nodes-can-be-studied-more-than-on.patch b/perl-5.25.9-perl-129061-CURLYX-nodes-can-be-studied-more-than-on.patch new file mode 100644 index 0000000..d7b9c6b --- /dev/null +++ b/perl-5.25.9-perl-129061-CURLYX-nodes-can-be-studied-more-than-on.patch @@ -0,0 +1,69 @@ +From 42e9b60980bb8e29e76629e14c6aa945194c0647 Mon Sep 17 00:00:00 2001 +From: Hugo van der Sanden +Date: Wed, 5 Oct 2016 02:20:26 +0100 +Subject: [PATCH] [perl #129061] CURLYX nodes can be studied more than once +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +study_chunk() for CURLYX is used to set flags on the linked WHILEM +node to say it is the whilem_c'th of whilem_seen. However it assumes +each CURLYX can be studied only once, which is not the case - there +are various cases such as GOSUB which call study_chunk() recursively +on already-visited parts of the program. + +Storing the wrong index can cause the super-linear cache handling in +regmatch() to read/write the byte after the end of poscache. + +Also reported in [perl #129281]. + +Signed-off-by: Petr Písař +--- + regcomp.c | 12 +++++++++--- + t/re/pat.t | 1 - + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/regcomp.c b/regcomp.c +index 850a6c1..48c8d8d 100644 +--- a/regcomp.c ++++ b/regcomp.c +@@ -5218,15 +5218,21 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + However, this time it's not a subexpression + we care about, but the expression itself. */ + && (maxcount == REG_INFTY) +- && data && ++data->whilem_c < 16) { ++ && data) { + /* This stays as CURLYX, we can put the count/of pair. */ + /* Find WHILEM (as in regexec.c) */ + regnode *nxt = oscan + NEXT_OFF(oscan); + + if (OP(PREVOPER(nxt)) == NOTHING) /* LONGJMP */ + nxt += ARG(nxt); +- PREVOPER(nxt)->flags = (U8)(data->whilem_c +- | (RExC_whilem_seen << 4)); /* On WHILEM */ ++ nxt = PREVOPER(nxt); ++ if (nxt->flags & 0xf) { ++ /* we've already set whilem count on this node */ ++ } else if (++data->whilem_c < 16) { ++ assert(data->whilem_c <= RExC_whilem_seen); ++ nxt->flags = (U8)(data->whilem_c ++ | (RExC_whilem_seen << 4)); /* On WHILEM */ ++ } + } + if (data && fl & (SF_HAS_PAR|SF_IN_PAR)) + pars++; +diff --git a/t/re/pat.t b/t/re/pat.t +index ecd3af1..16bfc8e 100644 +--- a/t/re/pat.t ++++ b/t/re/pat.t +@@ -1909,7 +1909,6 @@ EOP + } + { + # [perl #129281] buffer write overflow, detected by ASAN, valgrind +- local $::TODO = "whilem_c bumped too much"; + fresh_perl_is('/0(?0)|^*0(?0)|^*(^*())0|/', '', {}, "don't bump whilem_c too much"); + } + } # End of sub run_tests +-- +2.7.4 + diff --git a/perl.spec b/perl.spec index f89370f..2e2b602 100644 --- a/perl.spec +++ b/perl.spec @@ -287,6 +287,11 @@ Patch81: perl-5.25.9-silence-warnings-from-tests-about-impossible-quantif # in upstream after 5.25.9 Patch82: perl-5.24.1-buffer-overrun-with-format-and-use-bytes.patch +# Fix a buffer overflow when studying some regexps repeatedly, +# RT#129281, RT#129061, un upstream after 5.25.9 +Patch83: perl-5.24.1-perl-129281-test-for-buffer-overflow-issue.patch +Patch84: perl-5.25.9-perl-129061-CURLYX-nodes-can-be-studied-more-than-on.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2997,6 +3002,8 @@ popd %patch80 -p1 %patch81 -p1 %patch82 -p1 +%patch83 -p1 +%patch84 -p1 %patch200 -p1 %patch201 -p1 @@ -3064,6 +3071,7 @@ perl -x patchlevel.h \ 'Fedora Patch77: Adapt tests to zlib-1.2.11 (CPAN RT#119762)' \ 'Fedora Patch79: Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)' \ 'Fedora Patch82: Fix a buffer overrun with format and "use bytes" (RT#130703)' \ + 'Fedora Patch83: Fix a buffer overflow when studying some regexps repeatedly (RT#129281, RT#129061)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5344,6 +5352,8 @@ popd - Adapt tests to zlib-1.2.11 (bug #1420326) - Fix a crash when compiling a regexp with impossible quantifiers (RT#130561) - Fix a buffer overrun with format and "use bytes" (RT#130703) +- Fix a buffer overflow when studying some regexps repeatedly + (RT#129281, RT#129061) * Thu Jan 26 2017 Petr Pisar - 4:5.24.1-387 - Fix UTF-8 string handling in & operator (RT#129287)