Fix a heap overlow in parsing $#

2017-01-26 13:38:31 +01:00 · 2017-01-26 13:38:31 +01:00 · 4890b78564
commit 4890b78564
parent affaa4c7f0
2 changed files with 76 additions and 0 deletions
--- a/perl-5.24.1-perl-129274-avoid-treating-the-in-as-a-comment-intro.patch
+++ b/perl-5.24.1-perl-129274-avoid-treating-the-in-as-a-comment-intro.patch
@ -0,0 +1,70 @@
 From 2f221fc2333bd87615c03354b591b390e8b06715 Mon Sep 17 00:00:00 2001
 From: Tony Cook <tony@develop-help.com>
 Date: Tue, 24 Jan 2017 11:14:28 +1100
 Subject: [PATCH] (perl #129274) avoid treating the # in $# as a comment intro
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Petr Písař: Ported to 5.24.1:
 commit 71776ae4fad9a7659deefe0c2376d45b873ffd6a
 Author: Tony Cook <tony@develop-help.com>
 Date:   Tue Jan 24 11:14:28 2017 +1100
    (perl #129274) avoid treating the # in $# as a comment intro
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 t/op/lex.t | 15 ++++++++++++++-
 toke.c     |  4 +++-
 2 files changed, 17 insertions(+), 2 deletions(-)
 diff --git a/t/op/lex.t b/t/op/lex.t
 index 9ada592..d679d7c 100644
 --- a/t/op/lex.t
 +++ b/t/op/lex.t
@@ -7,7 +7,7 @@ use warnings;
 BEGIN { chdir 't' if -d 't'; require './test.pl'; }
 -plan(tests => 26);
 +plan(tests => 27);
 {
     no warnings 'deprecated';
@@ -216,3 +216,16 @@ fresh_perl_like(
     {},
     '[perl #129336] - #!perl -i argument handling'
 );
 +
 +# probably only failed under ASAN
 +fresh_perl_is(
 +    "stat\tt\$#0",
 +    <<'EOM',
 +$# is no longer supported at - line 1.
 +Number found where operator expected at - line 1, near "$#0"
 +	(Missing operator before 0?)
 +Can't call method "t" on an undefined value at - line 1.
 +EOM
 +    {},
 +    "[perl #129273] heap use after free or overflow"
 +);
 diff --git a/toke.c b/toke.c
 index 576ce72..630fc59 100644
 --- a/toke.c
 +++ b/toke.c
@@ -4090,7 +4090,9 @@ S_intuit_method(pTHX_ char *start, SV *ioname, CV *cv)
 	if (cv || PL_last_lop_op == OP_PRINT || PL_last_lop_op == OP_SAY
             || isUPPER(*PL_tokenbuf))
 	    return 0;
 -	s = skipspace(s);
 +        /* this could be $# */
 +        if (isSPACE(*s))
 +            s = skipspace(s);
 	PL_bufptr = start;
 	PL_expect = XREF;
 	return *s == '(' ? FUNCMETH : METHOD;
 -- 
 2.7.4
--- a/perl.spec
+++ b/perl.spec
@ -269,6 +269,9 @@ Patch74:        perl-5.24.1-Fix-memory-leak-in-B-RHE-HASH-method.patch
 # in upstream after 5.25.9
 Patch75:        perl-5.24.1-permit-goto-at-top-level-of-multicalled-sub.patch
 # Fix a heap overlow in parsing $#, RT#129274, in upstream after 5.25.9
 Patch76:        perl-5.24.1-perl-129274-avoid-treating-the-in-as-a-comment-intro.patch
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -2968,6 +2971,7 @@ Perl extension for Version Objects
 %patch73 -p1
 %patch74 -p1
 %patch75 -p1
 %patch76 -p1
 %patch200 -p1
 %patch201 -p1
@ -3031,6 +3035,7 @@ perl -x patchlevel.h \
    'Fedora Patch73: Fix recreation of *:: (RT#129869)' \
    'Fedora Patch74: Fix a memory leak in B::RHE->HASH method (RT#130504)' \
    'Fedora Patch75: Fix parsing goto statements in multicalled subroutine (RT#113938)' \
    'Fedora Patch76: Fix a heap overlow in parsing $# (RT#129274)' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    %{nil}
@ -5312,6 +5317,7 @@ popd
 - Fix recreation of *:: (RT#129869)
 - Fix a memory leak in B::RHE->HASH method (RT#130504)
 - Fix parsing goto statements in multicalled subroutine (RT#113938)
 - Fix a heap overlow in parsing $# (RT#129274)
 * Fri Jan 20 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-386
 - Fix a buffer overflow in split in scalar context (RT#130262)