Fix crash in "evalbytes S"

perl-5.24.0-Regression-test-for-RT-129196.patch

@@ -0,0 +1,45 @@
+From a51d828a6d402f30f37707c714de218f6b47dbd8 Mon Sep 17 00:00:00 2001
+From: Dan Collins <dcollinsn@gmail.com>
+Date: Sun, 4 Sep 2016 14:43:41 -0400
+Subject: [PATCH] Regression test for RT #129196
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported to 5.24.0:
+
+commit a6128716d2cc20147851e0a37768376647bd3242
+Author: Dan Collins <dcollinsn@gmail.com>
+Date:   Sun Sep 4 14:43:41 2016 -0400
+
+    Regression test for RT #129196
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ t/op/evalbytes.t | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/t/op/evalbytes.t b/t/op/evalbytes.t
+index cca7c04..5e2af76 100644
+--- a/t/op/evalbytes.t
++++ b/t/op/evalbytes.t
+@@ -6,7 +6,7 @@ BEGIN {
+     require './test.pl'; require './charset_tools.pl';
+ }
+ 
+-plan(tests => 8);
++plan(tests => 9);
+ 
+ {
+     local $SIG{__WARN__} = sub {};
+@@ -33,3 +33,7 @@ chop($upcode = "use utf8; $U_100" . chr 256);
+ is evalbytes $upcode, chr 256, 'use utf8 within evalbytes on utf8 string';
+ eval { evalbytes chr 256 };
+ like $@, qr/Wide character/, 'evalbytes croaks on non-bytes';
++
++eval 'evalbytes S';
++ok 1, '[RT #129196] evalbytes S should not segfault';
++
+-- 
+2.7.4
+

perl-5.25.4-perl-129196-Crash-bad-read-with-evalbytes-S.patch

@@ -0,0 +1,37 @@
+From 9bde56224e82f20e7a65b3469b1ffb6b9f6d4df8 Mon Sep 17 00:00:00 2001
+From: Father Chrysostomos <sprout@cpan.org>
+Date: Sun, 4 Sep 2016 20:24:19 -0700
+Subject: [PATCH] =?UTF-8?q?[perl=20#129196]=20Crash/bad=20read=20with=20?=
+ =?UTF-8?q?=E2=80=98evalbytes=20S=E2=80=99?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+5dc13276 added some code to toke.c that did not take into account
+that the opnum (‘f’) argument to UNI* could be a negated op number.
+PL_last_lop_op must never be negative, since it is used as an offset
+into a struct.
+
+Tests for the crash will come in the next commit.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ toke.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/toke.c b/toke.c
+index 2fe8b69..2350703 100644
+--- a/toke.c
++++ b/toke.c
+@@ -241,7 +241,7 @@ static const char* const lex_state_names[] = {
+ 	if (have_x) PL_expect = x; \
+ 	PL_bufptr = s; \
+ 	PL_last_uni = PL_oldbufptr; \
+-	PL_last_lop_op = f; \
++	PL_last_lop_op = f < 0 ? -f : f; \
+ 	if (*s == '(') \
+ 	    return REPORT( (int)FUNC1 ); \
+ 	s = skipspace(s); \
+-- 
+2.7.4
+

perl-5.25.4-toke.c-fix-mswin32-builds.patch

@@ -0,0 +1,46 @@
+From 0af40c757f083cc12988effb46da5313cd042f00 Mon Sep 17 00:00:00 2001
+From: David Mitchell <davem@iabyn.com>
+Date: Mon, 5 Sep 2016 15:49:28 +0100
+Subject: [PATCH] toke.c: fix mswin32 builds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+9bde56224 added this as part of macro:
+
+-	PL_last_lop_op = f; \
++	PL_last_lop_op = f < 0 ? -f : f; \
+
+which broke win32 builds due to this
+
+    UNIBRACK(-OP_ENTEREVAL)
+
+expanding to
+
+    PL_last_lop_op = -345 < 0 ? --345 : -345
+
+and the -- being seen as a pre-dec op.
+
+Diagnosed by Dagfinn Ilmari Mannsåker.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ toke.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/toke.c b/toke.c
+index 2350703..a1cdda8 100644
+--- a/toke.c
++++ b/toke.c
+@@ -241,7 +241,7 @@ static const char* const lex_state_names[] = {
+ 	if (have_x) PL_expect = x; \
+ 	PL_bufptr = s; \
+ 	PL_last_uni = PL_oldbufptr; \
+-	PL_last_lop_op = f < 0 ? -f : f; \
++	PL_last_lop_op = (f) < 0 ? -(f) : (f); \
+ 	if (*s == '(') \
+ 	    return REPORT( (int)FUNC1 ); \
+ 	s = skipspace(s); \
+-- 
+2.7.4
+

perl.spec

@@ -28,7 +28,7 @@
 Name:           perl
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        378%{?dist}
+Release:        379%{?dist}
 Epoch:          %{perl_epoch}
 Summary:        Practical Extraction and Report Language
 Group:          Development/Languages
@@ -183,6 +183,11 @@ Patch43:        perl-5.24.0-PATCH-perl-128734-tr-N-.-failing-for-128-255.patch
 # in upstream after 5.24.1
 Patch44:        perl-5.24.0-CVE-2016-1238-maint-5.24-dot-in-inc.patch
 
+# Fix crash in "evalbytes S", RT#129196, in upstream after 5.25.4
+Patch45:        perl-5.25.4-perl-129196-Crash-bad-read-with-evalbytes-S.patch
+Patch46:        perl-5.24.0-Regression-test-for-RT-129196.patch
+Patch47:        perl-5.25.4-toke.c-fix-mswin32-builds.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -2850,6 +2855,9 @@ Perl extension for Version Objects
 %patch42 -p1
 %patch43 -p1
 %patch44 -p1
+%patch45 -p1
+%patch46 -p1
+%patch47 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -2885,6 +2893,9 @@ perl -x patchlevel.h \
     'Fedora Patch42: Fix a crash in lexical scope warnings (RT#128597)' \
     'Fedora Patch43: Fix handling \N{} in tr for characters in range 128--255 (RT#128734)' \
     'Fedora Patch44: Avoid loading of modules from current directory (CVE-2016-1238)' \
+    'Fedora Patch45: Fix crash in "evalbytes S" (RT#129196)' \
+    'Fedora Patch46: Fix crash in "evalbytes S" (RT#129196)' \
+    'Fedora Patch47: Fix crash in "evalbytes S" (RT#129196)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -5163,6 +5174,9 @@ popd
 
 # Old changelog entries are preserved in CVS.
 %changelog
+* Thu Nov 03 2016 Petr Pisar <ppisar@redhat.com> - 4:5.24.0-379
+- Fix crash in "evalbytes S" (RT#129196)
+
 * Fri Sep 02 2016 Petr Pisar <ppisar@redhat.com> - 4:5.24.0-378
 - perl-core depends on Parse::CPAN::Meta module instead of package name to allow
   upgrading perl-CPAN-Meta to 2.150010 (bug #1370681)