From a2d9fa158f70847117e28c31745d681e01013901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Wed, 5 Sep 2018 10:52:28 +0200 Subject: [PATCH] Fix a buffer overrun in deprecated S_is_utf8_common() --- ...8.c-Make-safer-a-deprecated-function.patch | 49 +++++++++++++++++++ perl.spec | 11 ++++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 perl-5.29.1-utf8.c-Make-safer-a-deprecated-function.patch diff --git a/perl-5.29.1-utf8.c-Make-safer-a-deprecated-function.patch b/perl-5.29.1-utf8.c-Make-safer-a-deprecated-function.patch new file mode 100644 index 0000000..167029c --- /dev/null +++ b/perl-5.29.1-utf8.c-Make-safer-a-deprecated-function.patch @@ -0,0 +1,49 @@ +From 016c8ffcc6c9d41d145035ef5df607568880e3b3 Mon Sep 17 00:00:00 2001 +From: Karl Williamson +Date: Tue, 24 Jul 2018 17:20:08 -0600 +Subject: [PATCH] utf8.c: Make safer a deprecated function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This function is only called from deprecated functions, but they may be +moved to ppport.h. It is lacking a length parameter, so malformed UTF-8 +may cause it to read beyond the buffer. This commit causes it to not +read beyond a NUL character, which makes it safe for the common case +that the input is a C string. + +Signed-off-by: Petr Písař +--- + utf8.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/utf8.c b/utf8.c +index 8471fb8093..3062f58338 100644 +--- a/utf8.c ++++ b/utf8.c +@@ -3100,7 +3100,9 @@ S_is_utf8_common(pTHX_ const U8 *const p, SV **swash, + * Note that it is assumed that the buffer length of

is enough to + * contain all the bytes that comprise the character. Thus, <*p> should + * have been checked before this call for mal-formedness enough to assure +- * that. */ ++ * that. This function, does make sure to not look past any NUL, so it is ++ * safe to use on C, NUL-terminated, strings */ ++ STRLEN len = my_strnlen((char *) p, UTF8SKIP(p)); + + PERL_ARGS_ASSERT_IS_UTF8_COMMON; + +@@ -3109,9 +3111,8 @@ S_is_utf8_common(pTHX_ const U8 *const p, SV **swash, + * as far as there being enough bytes available in it to accommodate the + * character without reading beyond the end, and pass that number on to the + * validating routine */ +- if (! isUTF8_CHAR(p, p + UTF8SKIP(p))) { +- _force_out_malformed_utf8_message(p, p + UTF8SKIP(p), +- _UTF8_NO_CONFIDENCE_IN_CURLEN, ++ if (! isUTF8_CHAR(p, p + len)) { ++ _force_out_malformed_utf8_message(p, p + len, _UTF8_NO_CONFIDENCE_IN_CURLEN, + 1 /* Die */ ); + NOT_REACHED; /* NOTREACHED */ + } +-- +2.14.4 + diff --git a/perl.spec b/perl.spec index 074af69..1384ea7 100644 --- a/perl.spec +++ b/perl.spec @@ -81,7 +81,7 @@ License: GPL+ or Artistic Epoch: %{perl_epoch} Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 420%{?dist} +Release: 421%{?dist} Summary: Practical Extraction and Report Language Url: https://www.perl.org/ Source0: https://www.cpan.org/src/5.0/perl-%{perl_version}.tar.xz @@ -177,6 +177,10 @@ Patch20: perl-5.29.0-locale.c-Fix-conditional-compilation.patch Patch21: perl-5.29.1-perl-133314-test-for-handle-leaks-from-in-place-edit.patch Patch22: perl-5.29.1-perl-133314-always-close-the-directory-handle-on-cle.patch +# Fix a buffer overrun in deprecated S_is_utf8_common(), +# in upstream after 5.29.1 +Patch23: perl-5.29.1-utf8.c-Make-safer-a-deprecated-function.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2751,6 +2755,7 @@ Perl extension for Version Objects %patch20 -p1 %patch21 -p1 %patch22 -p1 +%patch23 -p1 %patch200 -p1 %patch201 -p1 @@ -2780,6 +2785,7 @@ perl -x patchlevel.h \ 'Fedora Patch20: Fix build conditions in locale.c' \ 'Fedora Patch21: Fix a file descriptor leak in in-place edits (RT#133314)' \ 'Fedora Patch22: Fix a file descriptor leak in in-place edits (RT#133314)' \ + 'Fedora Patch23: Fix a buffer overrun in deprecated S_is_utf8_common()' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5068,6 +5074,9 @@ popd # Old changelog entries are preserved in CVS. %changelog +* Wed Sep 05 2018 Petr Pisar - 4:5.28.0-421 +- Fix a buffer overrun in deprecated S_is_utf8_common() + * Wed Aug 01 2018 Petr Pisar - 4:5.28.0-420 - Fix a file descriptor leak in in-place edits (RT#133314)