From 622440427f30eca31409841eb26637c3862ca0ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Thu, 4 Mar 2021 17:39:11 +0100 Subject: [PATCH] Prevent the number of buckets in a hash from getting too large --- ...-clause-to-prevent-the-number-of-buc.patch | 53 +++++++++++++++++++ perl.spec | 7 +++ 2 files changed, 60 insertions(+) create mode 100644 perl-5.32.1-hv.c-add-a-guard-clause-to-prevent-the-number-of-buc.patch diff --git a/perl-5.32.1-hv.c-add-a-guard-clause-to-prevent-the-number-of-buc.patch b/perl-5.32.1-hv.c-add-a-guard-clause-to-prevent-the-number-of-buc.patch new file mode 100644 index 0000000..de7652e --- /dev/null +++ b/perl-5.32.1-hv.c-add-a-guard-clause-to-prevent-the-number-of-buc.patch @@ -0,0 +1,53 @@ +From c5eed6e541fe27d9e9dfd31f42c43f4dfa1f486b Mon Sep 17 00:00:00 2001 +From: Yves Orton +Date: Sat, 11 Jul 2020 09:26:21 +0200 +Subject: [PATCH] hv.c: add a guard clause to prevent the number of buckets in + a hash from getting too large +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This caps it at 1<<28 buckets, eg, ~268M. In theory without a guard clause like +this we could grow to the point of possibly wrapping around in terms of size, +not to mention being ridiculously wasteful of memory at larger sizes. +Even this cap is probably too high. It should probably be something like 1<<24. + +Petr Písař: Ported to 5.32.1 from +aae087f7cec022be14a17deb95cb2208e16b7891. + +Signed-off-by: Petr Písař +--- + hv.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/hv.c b/hv.c +index eccae62..32dbd19 100644 +--- a/hv.c ++++ b/hv.c +@@ -38,7 +38,13 @@ holds the key and hash value. + * NOTE if you change this formula so we split earlier than previously + * you MUST change the logic in hv_ksplit() + */ +-#define DO_HSPLIT(xhv) ( ((xhv)->xhv_keys + ((xhv)->xhv_keys >> 1)) > (xhv)->xhv_max ) ++ ++/* MAX_BUCKET_MAX is the maximum max bucket index, at which point we stop growing the ++ * number of buckets, ++ */ ++#define MAX_BUCKET_MAX ((1<<26)-1) ++#define DO_HSPLIT(xhv) ( ( ((xhv)->xhv_keys + ((xhv)->xhv_keys >> 1)) > (xhv)->xhv_max ) && \ ++ ((xhv)->xhv_max < MAX_BUCKET_MAX) ) + #define HV_FILL_THRESHOLD 31 + + static const char S_strtab_error[] +@@ -1426,6 +1432,8 @@ S_hsplit(pTHX_ HV *hv, STRLEN const oldsize, STRLEN newsize) + ); + + PERL_ARGS_ASSERT_HSPLIT; ++ if (newsize > MAX_BUCKET_MAX+1) ++ return; + + PL_nomemok = TRUE; + Renew(a, PERL_HV_ARRAY_ALLOC_BYTES(newsize) +-- +2.26.2 + diff --git a/perl.spec b/perl.spec index 37c952e..ffe8a9f 100644 --- a/perl.spec +++ b/perl.spec @@ -265,6 +265,10 @@ Patch53: perl-5.33.6-Add-missing-entries-to-perldiag-GH-18276.patch # in upstream after 5.33.6 Patch54: perl-5.33.6-t-run-locale.t-Rmv-LANGUAGE-from-environment.patch +# Prevent the number of buckets in a hash from getting too large, +# in upstream after 5.33.6 +Patch55: perl-5.32.1-hv.c-add-a-guard-clause-to-prevent-the-number-of-buc.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -4320,6 +4324,7 @@ you're not running VMS, this module does nothing. %patch52 -p1 %patch53 -p1 %patch54 -p1 +%patch55 -p1 %patch200 -p1 %patch201 -p1 @@ -4373,6 +4378,7 @@ perl -x patchlevel.h \ 'Fedora Patch52: Fix PERL_UNUSED_ARG() definition in XSUB.h' \ 'Fedora Patch53: Add missing entries to perldiag (GH#18276)' \ 'Fedora Patch54: Protect locale tests from LANGUAGE environment variable' \ + 'Fedora Patch55: Prevent the number of buckets in a hash from getting too large' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -7102,6 +7108,7 @@ popd %changelog * Thu Mar 04 2021 Petr Pisar - 4:5.32.1-472 - Protect locale tests from LANGUAGE environment variable +- Prevent the number of buckets in a hash from getting too large * Tue Feb 09 2021 Petr Pisar - 4:5.32.1-471 - Make accessing environment by DynaLoader thread-safe