Fix a heap overflow if invalid octal or hexadecimal number is used in transliteration expression
This commit is contained in:
Petr Písař
parent
64c060a679
commit
abd9ed8e7e
@ -0,0 +1,73 @@
|
||||
From a26907949ed561dccd661fc8600889eddc6664ea Mon Sep 17 00:00:00 2001
|
||||
From: Hugo van der Sanden <hv@crypt.org>
|
||||
Date: Wed, 5 Oct 2016 14:53:27 +0100
|
||||
Subject: [PATCH] [perl #129342] ensure range-start is set after error in tr///
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Ported to 5.24.1:
|
||||
|
||||
t 59143e29a717d67a61b869a6c5bb49574f1ef43f
|
||||
Author: Tony Cook <tony@develop-help.com>
|
||||
Date: Tue Jan 17 11:52:53 2017 +1100
|
||||
|
||||
(perl #129342) test for buffer overflow
|
||||
|
||||
commit 3dd4eaeb8ac39e08179145b86aedda36584a3509
|
||||
Author: Hugo van der Sanden <hv@crypt.org>
|
||||
Date: Wed Oct 5 14:53:27 2016 +0100
|
||||
|
||||
[perl #129342] ensure range-start is set after error in tr///
|
||||
|
||||
A parse error due to invalid octal or hex escape in the range of a
|
||||
transliteration must still ensure some kind of start and end values
|
||||
are captured, since we don't stop on the first such error. Failure
|
||||
to do so can cause invalid reads after "Here we have parsed a range".
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
t/lib/croak/toke | 7 +++++++
|
||||
toke.c | 4 ++--
|
||||
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/t/lib/croak/toke b/t/lib/croak/toke
|
||||
index 18dfa24..578a6da 100644
|
||||
--- a/t/lib/croak/toke
|
||||
+++ b/t/lib/croak/toke
|
||||
@@ -302,3 +302,10 @@ Execution of - aborted due to compilation errors.
|
||||
BEGIN <>
|
||||
EXPECT
|
||||
Illegal declaration of subroutine BEGIN at - line 1.
|
||||
+########
|
||||
+# NAME tr/// handling of mis-formatted \o characters
|
||||
+# may only fail with ASAN
|
||||
+tr/\o-0//;
|
||||
+EXPECT
|
||||
+Missing braces on \o{} at - line 2, within string
|
||||
+Execution of - aborted due to compilation errors.
|
||||
diff --git a/toke.c b/toke.c
|
||||
index 288f372..576ce72 100644
|
||||
--- a/toke.c
|
||||
+++ b/toke.c
|
||||
@@ -3338,7 +3338,7 @@ S_scan_const(pTHX_ char *start)
|
||||
UTF);
|
||||
if (! valid) {
|
||||
yyerror(error);
|
||||
- continue;
|
||||
+ uv = 0; /* drop through to ensure range ends are set */
|
||||
}
|
||||
goto NUM_ESCAPE_INSERT;
|
||||
}
|
||||
@@ -3356,7 +3356,7 @@ S_scan_const(pTHX_ char *start)
|
||||
UTF);
|
||||
if (! valid) {
|
||||
yyerror(error);
|
||||
- continue;
|
||||
+ uv = 0; /* drop through to ensure range ends are set */
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
||||
@ -248,6 +248,10 @@ Patch68: perl-5.25.8-perl-129149-fix-the-test-so-skip-has-a-SKIP-to-work-
|
||||
# in upstream after 5.25.8
|
||||
Patch69: perl-5.24.1-perl-129125-copy-form-data-if-it-might-be-freed.patch
|
||||
|
||||
# Fix a heap overflow if invalid octal or hexadecimal number is used in
|
||||
# transliteration expression, RT#129342, in upstream after 5.25.8
|
||||
Patch70: perl-5.24.1-perl-129342-ensure-range-start-is-set-after-error-in.patch
|
||||
|
||||
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
|
||||
Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
|
||||
|
||||
@ -2941,6 +2945,7 @@ Perl extension for Version Objects
|
||||
%patch67 -p1
|
||||
%patch68 -p1
|
||||
%patch69 -p1
|
||||
%patch70 -p1
|
||||
%patch200 -p1
|
||||
%patch201 -p1
|
||||
|
||||
@ -2998,6 +3003,7 @@ perl -x patchlevel.h \
|
||||
'Fedora Patch66: Fix a buffer overflow in split in scalar context (RT#130262)' \
|
||||
'Fedora Patch67: Fix a heap overflow with pack "W" (RT129149)' \
|
||||
'Fedora Patch69: Fix a use-after-free when processing scalar variables in forms (RT#129125)' \
|
||||
'Fedora Patch70: Fix a heap overflow if invalid octal or hexadecimal number is used in transliteration expression (RT#129342)' \
|
||||
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
|
||||
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
|
||||
%{nil}
|
||||
@ -5278,6 +5284,8 @@ popd
|
||||
- Fix a buffer overflow in split in scalar context (RT#130262)
|
||||
- Fix a heap overflow with pack "W" (RT129149)
|
||||
- Fix a use-after-free when processing scalar variables in forms (RT#129125)
|
||||
- Fix a heap overflow if invalid octal or hexadecimal number is used in
|
||||
transliteration expression (RT#129342)
|
||||
|
||||
* Mon Jan 16 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.24.1-385
|
||||
- 5.24.1 bump (see <http://search.cpan.org/dist/perl-5.24.1/pod/perldelta.pod>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user