rpms/perl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Prevent from wrapping a width in a numeric format string

Browse Source
This commit is contained in:
Petr Písař 2019-06-25 16:22:31 +02:00
parent 592c794ab8
commit 4298c8523d
2 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
perl-5.31.0-perl-133913-limit-numeric-format-results-to-INT_MAX.patch Normal file
View File

@ -0,0 +1,73 @@
From 027471cf1095f75f273df40310e4647fe1e8a9df Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 20 Mar 2019 16:47:49 +1100
Subject: [PATCH] (perl #133913) limit numeric format results to INT_MAX
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The return value of v?snprintf() is int, and we pay attention to that
return value, so limit the expected size of numeric formats to
INT_MAX.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
pod/perldiag.pod | 6 ++++++
sv.c | 7 +++++++
t/op/sprintf2.t | 7 +++++++
3 files changed, 20 insertions(+)
diff --git a/pod/perldiag.pod b/pod/perldiag.pod
index 1037215d44..166d29b4bb 100644
--- a/pod/perldiag.pod
+++ b/pod/perldiag.pod
@@ -4354,6 +4354,12 @@ the meantime, try using scientific notation (e.g. "1e6" instead of
a number. This happens, for example with C<\o{}>, with no number between
the braces.
+=item Numeric format result too large
+
+(F) The length of the result of a numeric format supplied to sprintf()
+or printf() would have been too large for the underlying C function to
+report. This limit is typically 2GB.
+
=item Octal number > 037777777777 non-portable
(W portable) The octal number you specified is larger than 2**32-1
diff --git a/sv.c b/sv.c
index 8fbca52eb2..8bc0af0c16 100644
--- a/sv.c
+++ b/sv.c
@@ -13085,6 +13085,13 @@ Perl_sv_vcatpvfn_flags(pTHX_ SV *const sv, const char *const pat, const STRLEN p
if (float_need < width)
float_need = width;
+ if (float_need > INT_MAX) {
+ /* snprintf() returns an int, and we use that return value,
+ so die horribly if the expected size is too large for int
+ */
+ Perl_croak(aTHX_ "Numeric format result too large");
+ }
+
if (PL_efloatsize <= float_need) {
/* PL_efloatbuf should be at least 1 greater than
* float_need to allow a trailing \0 to be returned by
diff --git a/t/op/sprintf2.t b/t/op/sprintf2.t
index 84259a4afd..5fee8efede 100644
--- a/t/op/sprintf2.t
+++ b/t/op/sprintf2.t
@@ -1153,4 +1153,11 @@ foreach(
is sprintf("%.0f", $_), sprintf("%-.0f", $_), "special-case %.0f on $_";
}
+# large uvsize needed so the large width is parsed properly
+# large sizesize needed so the STRLEN check doesn't
+if ($Config{intsize} == 4 && $Config{uvsize} > 4 && $Config{sizesize} > 4) {
+ eval { my $x = sprintf("%7000000000E", 0) };
+ like($@, qr/^Numeric format result too large at /,
+ "croak for very large numeric format results");
+}
done_testing();
--
2.20.1

7
perl.spec
View File

@ -179,6 +179,10 @@ Patch25: perl-5.31.0-perl-134008-an-alternative-test.patch
# Fix an erroneous assertion on OP_SCALAR, RT#134048, fixed after 5.31.0 # Fix an erroneous assertion on OP_SCALAR, RT#134048, fixed after 5.31.0
Patch26: perl-5.31.0-perl-134048-prevent-an-erroneous-assertion-on-OP_SCA.patch Patch26: perl-5.31.0-perl-134048-prevent-an-erroneous-assertion-on-OP_SCA.patch
# Prevent from wrapping a width in a numeric format string, RT#133913,
# fixed after 5.31.0
Patch27: perl-5.31.0-perl-133913-limit-numeric-format-results-to-INT_MAX.patch
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -2723,6 +2727,7 @@ Perl extension for Version Objects
%patch24 -p1 %patch24 -p1
%patch25 -p1 %patch25 -p1
%patch26 -p1 %patch26 -p1
%patch27 -p1
%patch200 -p1 %patch200 -p1
%patch201 -p1 %patch201 -p1
@ -2756,6 +2761,7 @@ perl -x patchlevel.h \
'Fedora Patch24: Fix a crash with a negative precision in sprintf function (RT#134008)' \ 'Fedora Patch24: Fix a crash with a negative precision in sprintf function (RT#134008)' \
'Fedora Patch25: Fix a crash with a negative precision in sprintf function (RT#134008)' \ 'Fedora Patch25: Fix a crash with a negative precision in sprintf function (RT#134008)' \
'Fedora Patch26: Fix an erroneous assertion on OP_SCALAR (RT#134048)' \ 'Fedora Patch26: Fix an erroneous assertion on OP_SCALAR (RT#134048)' \
'Fedora Patch27: Prevent from wrapping a width in a numeric format string (RT#133913)' \
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
%{nil} %{nil}
@ -5011,6 +5017,7 @@ popd
(RT#122112) (RT#122112)
- Fix a crash with a negative precision in sprintf function (RT#134008) - Fix a crash with a negative precision in sprintf function (RT#134008)
- Fix an erroneous assertion on OP_SCALAR (RT#134048) - Fix an erroneous assertion on OP_SCALAR (RT#134048)
- Prevent from wrapping a width in a numeric format string (RT#133913)
* Tue Jun 11 2019 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.30.0-439 * Tue Jun 11 2019 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.30.0-439
- Define %%perl_vendor*, %%perl_archlib, %%perl_privlib, because in rpm - Define %%perl_vendor*, %%perl_archlib, %%perl_privlib, because in rpm