From 4890b78564029a2ea7a8bff2eca60036cab6e3c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Thu, 26 Jan 2017 13:38:31 +0100 Subject: [PATCH] Fix a heap overlow in parsing $# --- ...d-treating-the-in-as-a-comment-intro.patch | 70 +++++++++++++++++++ perl.spec | 6 ++ 2 files changed, 76 insertions(+) create mode 100644 perl-5.24.1-perl-129274-avoid-treating-the-in-as-a-comment-intro.patch diff --git a/perl-5.24.1-perl-129274-avoid-treating-the-in-as-a-comment-intro.patch b/perl-5.24.1-perl-129274-avoid-treating-the-in-as-a-comment-intro.patch new file mode 100644 index 0000000..922b171 --- /dev/null +++ b/perl-5.24.1-perl-129274-avoid-treating-the-in-as-a-comment-intro.patch @@ -0,0 +1,70 @@ +From 2f221fc2333bd87615c03354b591b390e8b06715 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Tue, 24 Jan 2017 11:14:28 +1100 +Subject: [PATCH] (perl #129274) avoid treating the # in $# as a comment intro +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Petr Písař: Ported to 5.24.1: + +commit 71776ae4fad9a7659deefe0c2376d45b873ffd6a +Author: Tony Cook +Date: Tue Jan 24 11:14:28 2017 +1100 + + (perl #129274) avoid treating the # in $# as a comment intro + +Signed-off-by: Petr Písař +--- + t/op/lex.t | 15 ++++++++++++++- + toke.c | 4 +++- + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/t/op/lex.t b/t/op/lex.t +index 9ada592..d679d7c 100644 +--- a/t/op/lex.t ++++ b/t/op/lex.t +@@ -7,7 +7,7 @@ use warnings; + + BEGIN { chdir 't' if -d 't'; require './test.pl'; } + +-plan(tests => 26); ++plan(tests => 27); + + { + no warnings 'deprecated'; +@@ -216,3 +216,16 @@ fresh_perl_like( + {}, + '[perl #129336] - #!perl -i argument handling' + ); ++ ++# probably only failed under ASAN ++fresh_perl_is( ++ "stat\tt\$#0", ++ <<'EOM', ++$# is no longer supported at - line 1. ++Number found where operator expected at - line 1, near "$#0" ++ (Missing operator before 0?) ++Can't call method "t" on an undefined value at - line 1. ++EOM ++ {}, ++ "[perl #129273] heap use after free or overflow" ++); +diff --git a/toke.c b/toke.c +index 576ce72..630fc59 100644 +--- a/toke.c ++++ b/toke.c +@@ -4090,7 +4090,9 @@ S_intuit_method(pTHX_ char *start, SV *ioname, CV *cv) + if (cv || PL_last_lop_op == OP_PRINT || PL_last_lop_op == OP_SAY + || isUPPER(*PL_tokenbuf)) + return 0; +- s = skipspace(s); ++ /* this could be $# */ ++ if (isSPACE(*s)) ++ s = skipspace(s); + PL_bufptr = start; + PL_expect = XREF; + return *s == '(' ? FUNCMETH : METHOD; +-- +2.7.4 + diff --git a/perl.spec b/perl.spec index fb7b1f1..d32c8eb 100644 --- a/perl.spec +++ b/perl.spec @@ -269,6 +269,9 @@ Patch74: perl-5.24.1-Fix-memory-leak-in-B-RHE-HASH-method.patch # in upstream after 5.25.9 Patch75: perl-5.24.1-permit-goto-at-top-level-of-multicalled-sub.patch +# Fix a heap overlow in parsing $#, RT#129274, in upstream after 5.25.9 +Patch76: perl-5.24.1-perl-129274-avoid-treating-the-in-as-a-comment-intro.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2968,6 +2971,7 @@ Perl extension for Version Objects %patch73 -p1 %patch74 -p1 %patch75 -p1 +%patch76 -p1 %patch200 -p1 %patch201 -p1 @@ -3031,6 +3035,7 @@ perl -x patchlevel.h \ 'Fedora Patch73: Fix recreation of *:: (RT#129869)' \ 'Fedora Patch74: Fix a memory leak in B::RHE->HASH method (RT#130504)' \ 'Fedora Patch75: Fix parsing goto statements in multicalled subroutine (RT#113938)' \ + 'Fedora Patch76: Fix a heap overlow in parsing $# (RT#129274)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5312,6 +5317,7 @@ popd - Fix recreation of *:: (RT#129869) - Fix a memory leak in B::RHE->HASH method (RT#130504) - Fix parsing goto statements in multicalled subroutine (RT#113938) +- Fix a heap overlow in parsing $# (RT#129274) * Fri Jan 20 2017 Petr Pisar - 4:5.24.1-386 - Fix a buffer overflow in split in scalar context (RT#130262)