From 9040dc1ebc7147c366d804a5a0843e1819cae637 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Wed, 17 Jul 2019 14:08:59 +0200
Subject: [PATCH] Fix a crash on an uninitialized warning when processing a
 multideref node

---
 ...-with-uninit-warning-with-multideref.patch | 65 +++++++++++++++++++
 perl.spec                                     |  8 +++
 2 files changed, 73 insertions(+)
 create mode 100644 perl-5.31.1-avoid-SEGV-with-uninit-warning-with-multideref.patch

diff --git a/perl-5.31.1-avoid-SEGV-with-uninit-warning-with-multideref.patch b/perl-5.31.1-avoid-SEGV-with-uninit-warning-with-multideref.patch
new file mode 100644
index 0000000..e25b547
--- /dev/null
+++ b/perl-5.31.1-avoid-SEGV-with-uninit-warning-with-multideref.patch
@@ -0,0 +1,65 @@
+From 28eabf1185634216ca335b3a24e1131b0f392ca1 Mon Sep 17 00:00:00 2001
+From: David Mitchell <davem@iabyn.com>
+Date: Wed, 10 Jul 2019 12:59:06 +0100
+Subject: [PATCH] avoid SEGV with uninit warning with multideref
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RT #134275
+
+When the 'uninitialized warning' code in S_find_uninit_var() comes
+across an OP_MULTIDEREF node, it scans it to see if any part of that op
+(e.g. the indices or the returned value) could have been the source of
+the uninitialized value which triggered the warning.  Unfortunately when
+getting an AV or HV from a GV, it wasn't checking whether gp_av/gp_hv
+contained a NULL value. If so, it would SEGV.
+
+The test code is a bit contrived; you have to "pull the rug" from under
+the GV at just the right moment with *foo = *bar, then trigger an uninit
+warning on an op whose subtree includes an OP_MULTIDEREF.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ sv.c                   |  5 ++++-
+ t/lib/warnings/9uninit | 10 ++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/sv.c b/sv.c
+index 83de536ad7..4315fe9b64 100644
+--- a/sv.c
++++ b/sv.c
+@@ -16662,8 +16662,11 @@ S_find_uninit_var(pTHX_ const OP *const obase, const SV *const uninit_sv,
+ 
+         if (agg_targ)
+ 	    sv = PAD_SV(agg_targ);
+-        else if (agg_gv)
++        else if (agg_gv) {
+             sv = is_hv ? MUTABLE_SV(GvHV(agg_gv)) : MUTABLE_SV(GvAV(agg_gv));
++            if (!sv)
++                break;
++            }
+         else
+             break;
+ 
+diff --git a/t/lib/warnings/9uninit b/t/lib/warnings/9uninit
+index 774c6ee432..5c173fdb2a 100644
+--- a/t/lib/warnings/9uninit
++++ b/t/lib/warnings/9uninit
+@@ -2206,3 +2206,13 @@ use warnings 'uninitialized';
+ undef $0;
+ EXPECT
+ Use of uninitialized value in undef operator at - line 5.
++########
++# RT #134275
++# This was SEGVing due to the multideref code in S_find_uninit_var not
++# handling a GV with a null gp_hv slot.
++use warnings 'uninitialized';
++"" =~ /$foo{a}${*foo=*bar}$x/;
++EXPECT
++Use of uninitialized value in regexp compilation at - line 5.
++Use of uninitialized value in regexp compilation at - line 5.
++Use of uninitialized value $x in regexp compilation at - line 5.
+-- 
+2.20.1
+
diff --git a/perl.spec b/perl.spec
index d509167..8374819 100644
--- a/perl.spec
+++ b/perl.spec
@@ -219,6 +219,10 @@ Patch39:        perl-5.31.0-perl-134193-make-the-varname-match-the-names.patch
 # be closed, RT#122112, fixed after 5.31.1
 Patch40:        perl-5.31.1-perl-122112-make-sure-SIGPIPE-is-delivered-if-we-tes.patch
 
+# Fix a crash on an uninitialized warning when processing a multideref node,
+# RT#134275, fixed after 5.31.1
+Patch41:        perl-5.31.1-avoid-SEGV-with-uninit-warning-with-multideref.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -2777,6 +2781,7 @@ Perl extension for Version Objects
 %patch38 -p1
 %patch39 -p1
 %patch40 -p1
+%patch41 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -2824,6 +2829,7 @@ perl -x patchlevel.h \
     'Fedora Patch38: Fix %%{^CAPTURE} value when used after @{^CAPTURE} (RT#134193)' \
     'Fedora Patch39: Fix %%{^CAPTURE} value when used after @{^CAPTURE} (RT#134193)' \
     'Fedora Patch40: Fix a test for a crash in SIGALARM handler when waiting on a child process to be closed (RT#122112)' \
+    'Fedora Patch41: Fix a crash on an uninitialized warning when processing a multideref node (RT#134275)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -5072,6 +5078,8 @@ popd
 * Wed Jul 17 2019 Petr Pisar <ppisar@redhat.com> - 4:5.30.0-441
 - Fix a test for a crash in SIGALARM handler when waiting on a child process to
   be closed (RT#122112)
+- Fix a crash on an uninitialized warning when processing a multideref node
+  (RT#134275)
 
 * Tue Jun 25 2019 Petr Pisar <ppisar@redhat.com> - 4:5.30.0-440
 - Fix an out-of-buffer read while parsing a Unicode property name (RT#134134)