Fix a heap overflow if invalid octal or hexadecimal number is used in transliteration expression

This commit is contained in:
Petr Písař 2017-01-20 10:09:55 +01:00
parent 64c060a679
commit abd9ed8e7e
2 changed files with 81 additions and 0 deletions

View File

@ -0,0 +1,73 @@
From a26907949ed561dccd661fc8600889eddc6664ea Mon Sep 17 00:00:00 2001
From: Hugo van der Sanden <hv@crypt.org>
Date: Wed, 5 Oct 2016 14:53:27 +0100
Subject: [PATCH] [perl #129342] ensure range-start is set after error in tr///
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ported to 5.24.1:
t 59143e29a717d67a61b869a6c5bb49574f1ef43f
Author: Tony Cook <tony@develop-help.com>
Date: Tue Jan 17 11:52:53 2017 +1100
(perl #129342) test for buffer overflow
commit 3dd4eaeb8ac39e08179145b86aedda36584a3509
Author: Hugo van der Sanden <hv@crypt.org>
Date: Wed Oct 5 14:53:27 2016 +0100
[perl #129342] ensure range-start is set after error in tr///
A parse error due to invalid octal or hex escape in the range of a
transliteration must still ensure some kind of start and end values
are captured, since we don't stop on the first such error. Failure
to do so can cause invalid reads after "Here we have parsed a range".
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
t/lib/croak/toke | 7 +++++++
toke.c | 4 ++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/t/lib/croak/toke b/t/lib/croak/toke
index 18dfa24..578a6da 100644
--- a/t/lib/croak/toke
+++ b/t/lib/croak/toke
@@ -302,3 +302,10 @@ Execution of - aborted due to compilation errors.
BEGIN <>
EXPECT
Illegal declaration of subroutine BEGIN at - line 1.
+########
+# NAME tr/// handling of mis-formatted \o characters
+# may only fail with ASAN
+tr/\o-0//;
+EXPECT
+Missing braces on \o{} at - line 2, within string
+Execution of - aborted due to compilation errors.
diff --git a/toke.c b/toke.c
index 288f372..576ce72 100644
--- a/toke.c
+++ b/toke.c
@@ -3338,7 +3338,7 @@ S_scan_const(pTHX_ char *start)
UTF);
if (! valid) {
yyerror(error);
- continue;
+ uv = 0; /* drop through to ensure range ends are set */
}
goto NUM_ESCAPE_INSERT;
}
@@ -3356,7 +3356,7 @@ S_scan_const(pTHX_ char *start)
UTF);
if (! valid) {
yyerror(error);
- continue;
+ uv = 0; /* drop through to ensure range ends are set */
}
}
--
2.7.4

View File

@ -248,6 +248,10 @@ Patch68: perl-5.25.8-perl-129149-fix-the-test-so-skip-has-a-SKIP-to-work-
# in upstream after 5.25.8
Patch69: perl-5.24.1-perl-129125-copy-form-data-if-it-might-be-freed.patch
# Fix a heap overflow if invalid octal or hexadecimal number is used in
# transliteration expression, RT#129342, in upstream after 5.25.8
Patch70: perl-5.24.1-perl-129342-ensure-range-start-is-set-after-error-in.patch
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -2941,6 +2945,7 @@ Perl extension for Version Objects
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
%patch200 -p1
%patch201 -p1
@ -2998,6 +3003,7 @@ perl -x patchlevel.h \
'Fedora Patch66: Fix a buffer overflow in split in scalar context (RT#130262)' \
'Fedora Patch67: Fix a heap overflow with pack "W" (RT129149)' \
'Fedora Patch69: Fix a use-after-free when processing scalar variables in forms (RT#129125)' \
'Fedora Patch70: Fix a heap overflow if invalid octal or hexadecimal number is used in transliteration expression (RT#129342)' \
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
%{nil}
@ -5278,6 +5284,8 @@ popd
- Fix a buffer overflow in split in scalar context (RT#130262)
- Fix a heap overflow with pack "W" (RT129149)
- Fix a use-after-free when processing scalar variables in forms (RT#129125)
- Fix a heap overflow if invalid octal or hexadecimal number is used in
transliteration expression (RT#129342)
* Mon Jan 16 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.24.1-385
- 5.24.1 bump (see <http://search.cpan.org/dist/perl-5.24.1/pod/perldelta.pod>