From a37c37e2117a7503ecbe853e1ff67ffc667a6d96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Mon, 2 Sep 2019 09:33:26 +0200 Subject: [PATCH] Fix a buffer overread when parsin a Unicode property while compiling a regular expression --- ...erl-134133-read-beyond-end-of-buffer.patch | 31 +++++++++++++++++++ perl.spec | 8 +++++ 2 files changed, 39 insertions(+) create mode 100644 perl-5.31.3-PATCH-perl-134133-read-beyond-end-of-buffer.patch diff --git a/perl-5.31.3-PATCH-perl-134133-read-beyond-end-of-buffer.patch b/perl-5.31.3-PATCH-perl-134133-read-beyond-end-of-buffer.patch new file mode 100644 index 0000000..bf2aba6 --- /dev/null +++ b/perl-5.31.3-PATCH-perl-134133-read-beyond-end-of-buffer.patch @@ -0,0 +1,31 @@ +From c6f37d61adb39a6d7764b1bcb6bb67accb22a0a0 Mon Sep 17 00:00:00 2001 +From: Karl Williamson +Date: Fri, 24 May 2019 09:01:46 -0600 +Subject: [PATCH] PATCH: [perl #134133] read beyond end of buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The code was using the wrong limit variable. + +Signed-off-by: Petr Písař +--- + regcomp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/regcomp.c b/regcomp.c +index d61fd434fe..b2cc6672cb 100644 +--- a/regcomp.c ++++ b/regcomp.c +@@ -22946,7 +22946,7 @@ Perl_parse_uniprop_string(pTHX_ + /* Certain properties whose values are numeric need special handling. + * They may optionally be prefixed by 'is'. Ignore that prefix for the + * purposes of checking if this is one of those properties */ +- if (memBEGINPs(lookup_name, name_len, "is")) { ++ if (memBEGINPs(lookup_name, j, "is")) { + lookup_offset = 2; + } + +-- +2.21.0 + diff --git a/perl.spec b/perl.spec index 83b247c..a9da8ff 100644 --- a/perl.spec +++ b/perl.spec @@ -267,6 +267,10 @@ Patch53: perl-5.31.2-Run-tests-in-ext-File-Find-t-in-series.patch # fixed after 5.31.3 Patch54: perl-5.31.3-regcomp.c-Fix-wrong-limit-test.patch +# Fix a buffer overread when parsing a Unicode property while compiling +# a regular expression, RT#134133, fixed after 5.31.3 +Patch55: perl-5.31.3-PATCH-perl-134133-read-beyond-end-of-buffer.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2843,6 +2847,7 @@ Perl extension for Version Objects %patch52 -p1 %patch53 -p1 %patch54 -p1 +%patch55 -p1 %patch200 -p1 %patch201 -p1 @@ -2904,6 +2909,7 @@ perl -x patchlevel.h \ 'Fedora Patch52: Fix a documentation about a future API change' \ 'Fedora Patch53: Do not run File-Find tests in parallel' \ 'Fedora Patch54: Fix parsing a Unicode property name when compiling a regular expression' \ + 'Fedora Patch55: Fix a buffer overread when parsing a Unicode property while compiling a regular expression (RT#134133)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5152,6 +5158,8 @@ popd * Mon Sep 02 2019 Petr Pisar - 4:5.30.0-445 - Adjust spec file to rpm-build-4.15.0-0.rc1.1 - Fix parsing a Unicode property name when compiling a regular expression +- Fix a buffer overread when parsing a Unicode property while compiling + a regular expression (RT#134133) * Thu Aug 22 2019 Petr Pisar - 4:5.30.0-444 - Fix a NULL pointer dereference in PerlIOVia_pushed()