Fix a buffer overrun with format and "use bytes"

This commit is contained in:
Petr Písař 2017-02-10 11:13:47 +01:00
parent 83a50fdcff
commit b79329e9cf
2 changed files with 100 additions and 0 deletions

View File

@ -0,0 +1,93 @@
From fd25d49cae6409a4ce901fd4d899a197541604b3 Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Sat, 4 Feb 2017 15:10:49 +0000
Subject: [PATCH] buffer overrun with format and 'use bytes'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ported to 5.24.1:
commit e452bf1c9e9f30813b1f289188a6e8b0894575ba
Author: David Mitchell <davem@iabyn.com>
Date: Sat Feb 4 15:10:49 2017 +0000
buffer overrun with format and 'use bytes'
RT #130703
In the scope of 'use bytes', appending a string to a format where the
format is utf8 and the string is non-utf8 but contains lots of chars
with ords >= 128, the buffer could be overrun. This is due to all the
\x80-type chars going from being stored as 1 bytes to 2 bytes, without
growing PL_formtarget accordingly.
This commit contains a minimal fix; the next commit will more generally
tidy up the grow code in pp_formline.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
pp_ctl.c | 3 +++
t/op/write.t | 18 +++++++++++++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/pp_ctl.c b/pp_ctl.c
index a1fc2f4..4d5ef2e 100644
--- a/pp_ctl.c
+++ b/pp_ctl.c
@@ -505,6 +505,8 @@ PP(pp_formline)
SvTAINTED_on(PL_formtarget);
if (DO_UTF8(PL_formtarget))
targ_is_utf8 = TRUE;
+ /* this is an initial estimate of how much output buffer space
+ * to allocate. It may be exceeded later */
linemax = (SvCUR(formsv) * (IN_BYTES ? 1 : 3) + 1);
t = SvGROW(PL_formtarget, len + linemax + 1);
/* XXX from now onwards, SvCUR(PL_formtarget) is invalid */
@@ -766,6 +768,7 @@ PP(pp_formline)
if (targ_is_utf8 && !item_is_utf8) {
source = tmp = bytes_to_utf8(source, &to_copy);
+ grow = to_copy;
} else {
if (item_is_utf8 && !targ_is_utf8) {
U8 *s;
diff --git a/t/op/write.t b/t/op/write.t
index ab2733f..ae4ddb5 100644
--- a/t/op/write.t
+++ b/t/op/write.t
@@ -98,7 +98,7 @@ for my $tref ( @NumTests ){
my $bas_tests = 21;
# number of tests in section 3
-my $bug_tests = 66 + 3 * 3 * 5 * 2 * 3 + 2 + 66 + 6 + 2 + 3 + 96 + 11 + 3;
+my $bug_tests = 66 + 3 * 3 * 5 * 2 * 3 + 2 + 66 + 6 + 2 + 3 + 96 + 11 + 4;
# number of tests in section 4
my $hmb_tests = 37;
@@ -1562,6 +1562,22 @@ ok defined *{$::{CmT}}{FORMAT}, "glob assign";
formline $format, $orig, 12345;
is $^A, ("x" x 100) . " 12345\n", "\@* doesn't overflow";
+ # ...nor this (RT #130703).
+ # Under 'use bytes', the two bytes (c2, 80) making up each \x80 char
+ # each get expanded to two bytes (so four in total per \x80 char); the
+ # buffer growth wasn't accounting for this doubling in size
+
+ {
+ local $^A = '';
+ my $format = "X\n\x{100}" . ("\x80" x 200);
+ my $expected = $format;
+ utf8::encode($expected);
+ use bytes;
+ formline($format);
+ is $^A, $expected, "RT #130703";
+ }
+
+
# make sure it can cope with formats > 64k
$format = 'x' x 65537;
--
2.7.4

View File

@ -283,6 +283,10 @@ Patch79: perl-5.24.1-fix-RT-130561-recursion-and-optimising-away-impossib
Patch80: perl-5.25.9-only-mess-with-NEXT_OFF-when-we-are-in-PASS2.patch Patch80: perl-5.25.9-only-mess-with-NEXT_OFF-when-we-are-in-PASS2.patch
Patch81: perl-5.25.9-silence-warnings-from-tests-about-impossible-quantif.patch Patch81: perl-5.25.9-silence-warnings-from-tests-about-impossible-quantif.patch
# Fix a buffer overrun with format and "use bytes", RT#130703,
# in upstream after 5.25.9
Patch82: perl-5.24.1-buffer-overrun-with-format-and-use-bytes.patch
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -2992,6 +2996,7 @@ popd
%patch79 -p1 %patch79 -p1
%patch80 -p1 %patch80 -p1
%patch81 -p1 %patch81 -p1
%patch82 -p1
%patch200 -p1 %patch200 -p1
%patch201 -p1 %patch201 -p1
@ -3058,6 +3063,7 @@ perl -x patchlevel.h \
'Fedora Patch76: Fix a heap overlow in parsing $# (RT#129274)' \ 'Fedora Patch76: Fix a heap overlow in parsing $# (RT#129274)' \
'Fedora Patch77: Adapt tests to zlib-1.2.11 (CPAN RT#119762)' \ 'Fedora Patch77: Adapt tests to zlib-1.2.11 (CPAN RT#119762)' \
'Fedora Patch79: Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)' \ 'Fedora Patch79: Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)' \
'Fedora Patch82: Fix a buffer overrun with format and "use bytes" (RT#130703)' \
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
%{nil} %{nil}
@ -5337,6 +5343,7 @@ popd
* Fri Feb 10 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-388 * Fri Feb 10 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-388
- Adapt tests to zlib-1.2.11 (bug #1420326) - Adapt tests to zlib-1.2.11 (bug #1420326)
- Fix a crash when compiling a regexp with impossible quantifiers (RT#130561) - Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)
- Fix a buffer overrun with format and "use bytes" (RT#130703)
* Thu Jan 26 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-387 * Thu Jan 26 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-387
- Fix UTF-8 string handling in & operator (RT#129287) - Fix UTF-8 string handling in & operator (RT#129287)