From 8cf9a28c2e6f42165d21ec167ee9e6e2229c75f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Mon, 24 Sep 2018 11:18:00 +0200 Subject: [PATCH] Fix upack "u" of invalid data --- ...terminate-result-of-unpack-u-of-inva.patch | 61 +++++++++++++++++++ perl.spec | 9 ++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 perl-5.29.2-perl-132655-nul-terminate-result-of-unpack-u-of-inva.patch diff --git a/perl-5.29.2-perl-132655-nul-terminate-result-of-unpack-u-of-inva.patch b/perl-5.29.2-perl-132655-nul-terminate-result-of-unpack-u-of-inva.patch new file mode 100644 index 0000000..5087d6c --- /dev/null +++ b/perl-5.29.2-perl-132655-nul-terminate-result-of-unpack-u-of-inva.patch @@ -0,0 +1,61 @@ +From 12cad9bd99725bba72029e2651b2b7f0cab2e0b0 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Mon, 20 Aug 2018 16:31:45 +1000 +Subject: [PATCH] (perl #132655) nul terminate result of unpack "u" of invalid + data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In the given test case, Perl_atof2() would run off the end of the PV, +producing an error from ASAN. + +Signed-off-by: Petr Písař +--- + pp_pack.c | 5 ++++- + t/op/pack.t | 9 ++++++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/pp_pack.c b/pp_pack.c +index 5e9cc64301..f8be9d48ae 100644 +--- a/pp_pack.c ++++ b/pp_pack.c +@@ -1727,7 +1727,10 @@ S_unpack_rec(pTHX_ tempsym_t* symptr, const char *s, const char *strbeg, const c + if (!checksum) { + const STRLEN l = (STRLEN) (strend - s) * 3 / 4; + sv = sv_2mortal(newSV(l)); +- if (l) SvPOK_on(sv); ++ if (l) { ++ SvPOK_on(sv); ++ *SvEND(sv) = '\0'; ++ } + } + + /* Note that all legal uuencoded strings are ASCII printables, so +diff --git a/t/op/pack.t b/t/op/pack.t +index cf0e286509..bb9f865091 100644 +--- a/t/op/pack.t ++++ b/t/op/pack.t +@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' : + my $no_signedness = $] > 5.009 ? '' : + "Signed/unsigned pack modifiers not available on this perl"; + +-plan tests => 14717; ++plan tests => 14718; + + use strict; + use warnings qw(FATAL all); +@@ -2081,3 +2081,10 @@ SKIP: + fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 }, + "integer overflow calculating allocation (multiply)"); + } ++ ++{ ++ # [perl #132655] heap-buffer-overflow READ of size 11 ++ # only expect failure under ASAN (and maybe valgrind) ++ fresh_perl_is('0.0 + unpack("u", "ab")', "", { stderr => 1 }, ++ "ensure unpack u of invalid data nul terminates result"); ++} +-- +2.17.1 + diff --git a/perl.spec b/perl.spec index 8fa0c97..5398711 100644 --- a/perl.spec +++ b/perl.spec @@ -81,7 +81,7 @@ License: GPL+ or Artistic Epoch: %{perl_epoch} Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 422%{?dist} +Release: 423%{?dist} Summary: Practical Extraction and Report Language Url: https://www.perl.org/ Source0: https://www.cpan.org/src/5.0/perl-%{perl_version}.tar.xz @@ -200,6 +200,9 @@ Patch27: perl-5.29.2-multiconcat-mutator-not-seen-in-lex.patch # in upstream after 5.29.2 Patch28: perl-5.29.2-perl-132683-don-t-try-to-convert-PL_sv_placeholder-i.patch +# Fix upack "u" of invalid data, RT#132655, in upstream after 5.29.2 +Patch29: perl-5.29.2-perl-132655-nul-terminate-result-of-unpack-u-of-inva.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2781,6 +2784,7 @@ Perl extension for Version Objects %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 %patch200 -p1 %patch201 -p1 @@ -5104,6 +5108,9 @@ popd # Old changelog entries are preserved in CVS. %changelog +* Mon Sep 24 2018 Petr Pisar - 4:5.28.0-423 +- Fix upack "u" of invalid data (RT#132655) + * Mon Sep 10 2018 Petr Pisar - 4:5.28.0-422 - Revert a fix for a buffer overrun in deprecated S_is_utf8_common() (bug #1627091)