Fix a buffer overrun in deprecated S_is_utf8_common()

2018-09-05 10:52:28 +02:00 · 2018-09-05 10:52:28 +02:00 · a2d9fa158f
parent 2d2ad79937
commit a2d9fa158f
2 changed files with 59 additions and 1 deletions
--- a/perl-5.29.1-utf8.c-Make-safer-a-deprecated-function.patch
+++ b/perl-5.29.1-utf8.c-Make-safer-a-deprecated-function.patch
@ -0,0 +1,49 @@
+From 016c8ffcc6c9d41d145035ef5df607568880e3b3 Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Tue, 24 Jul 2018 17:20:08 -0600
+Subject: [PATCH] utf8.c: Make safer a deprecated function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This function is only called from deprecated functions, but they may be
+moved to ppport.h.  It is lacking a length parameter, so malformed UTF-8
+may cause it to read beyond the buffer.  This commit causes it to not
+read beyond a NUL character, which makes it safe for the common case
+that the input is a C string.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ utf8.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/utf8.c b/utf8.c
+index 8471fb8093..3062f58338 100644
+--- a/utf8.c
+++ b/utf8.c
+@@ -3100,7 +3100,9 @@ S_is_utf8_common(pTHX_ const U8 *const p, SV **swash,
+      * Note that it is assumed that the buffer length of <p> is enough to
+      * contain all the bytes that comprise the character.  Thus, <*p> should
+      * have been checked before this call for mal-formedness enough to assure
+-     * that. */
+     * that.  This function, does make sure to not look past any NUL, so it is
+     * safe to use on C, NUL-terminated, strings */
+    STRLEN len = my_strnlen((char *) p, UTF8SKIP(p));
+ 
+     PERL_ARGS_ASSERT_IS_UTF8_COMMON;
+ 
+@@ -3109,9 +3111,8 @@ S_is_utf8_common(pTHX_ const U8 *const p, SV **swash,
+      * as far as there being enough bytes available in it to accommodate the
+      * character without reading beyond the end, and pass that number on to the
+      * validating routine */
+-    if (! isUTF8_CHAR(p, p + UTF8SKIP(p))) {
+-        _force_out_malformed_utf8_message(p, p + UTF8SKIP(p),
+-                                          _UTF8_NO_CONFIDENCE_IN_CURLEN,
+    if (! isUTF8_CHAR(p, p + len)) {
+        _force_out_malformed_utf8_message(p, p + len, _UTF8_NO_CONFIDENCE_IN_CURLEN,
+                                           1 /* Die */ );
+         NOT_REACHED; /* NOTREACHED */
+     }
+-- 
+2.14.4
+
--- a/perl.spec
+++ b/perl.spec
@ -81,7 +81,7 @@ License:        GPL+ or Artistic
 Epoch:          %{perl_epoch}
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        420%{?dist}
+Release:        421%{?dist}
 Summary:        Practical Extraction and Report Language
 Url:            https://www.perl.org/
 Source0:        https://www.cpan.org/src/5.0/perl-%{perl_version}.tar.xz
@ -177,6 +177,10 @@ Patch20:        perl-5.29.0-locale.c-Fix-conditional-compilation.patch
 Patch21:        perl-5.29.1-perl-133314-test-for-handle-leaks-from-in-place-edit.patch
 Patch22:        perl-5.29.1-perl-133314-always-close-the-directory-handle-on-cle.patch

+# Fix a buffer overrun in deprecated S_is_utf8_common(),
+# in upstream after 5.29.1
+Patch23:        perl-5.29.1-utf8.c-Make-safer-a-deprecated-function.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch

@ -2751,6 +2755,7 @@ Perl extension for Version Objects
 %patch20 -p1
 %patch21 -p1
 %patch22 -p1
+%patch23 -p1
 %patch200 -p1
 %patch201 -p1

@ -2780,6 +2785,7 @@ perl -x patchlevel.h \
    'Fedora Patch20: Fix build conditions in locale.c' \
    'Fedora Patch21: Fix a file descriptor leak in in-place edits (RT#133314)' \
    'Fedora Patch22: Fix a file descriptor leak in in-place edits (RT#133314)' \
+    'Fedora Patch23: Fix a buffer overrun in deprecated S_is_utf8_common()' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    %{nil}
@ -5068,6 +5074,9 @@ popd

 # Old changelog entries are preserved in CVS.
 %changelog
+* Wed Sep 05 2018 Petr Pisar <ppisar@redhat.com> - 4:5.28.0-421
+- Fix a buffer overrun in deprecated S_is_utf8_common()
+
 * Wed Aug 01 2018 Petr Pisar <ppisar@redhat.com> - 4:5.28.0-420
 - Fix a file descriptor leak in in-place edits (RT#133314)