From bf70c3addf83cba7bd6e6230695c1b896a168c67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Fri, 5 Apr 2019 16:35:26 +0200 Subject: [PATCH] Fix a memory leak when cloning a regular expression --- perl-5.29.9-fix-leak-in-cloned-regexes.patch | 59 ++++++++++++++++++++ perl.spec | 6 ++ 2 files changed, 65 insertions(+) create mode 100644 perl-5.29.9-fix-leak-in-cloned-regexes.patch diff --git a/perl-5.29.9-fix-leak-in-cloned-regexes.patch b/perl-5.29.9-fix-leak-in-cloned-regexes.patch new file mode 100644 index 0000000..b6139ac --- /dev/null +++ b/perl-5.29.9-fix-leak-in-cloned-regexes.patch @@ -0,0 +1,59 @@ +From 75bb5aa48dfcf930533cd069393fc8a45e4ece18 Mon Sep 17 00:00:00 2001 +From: David Mitchell +Date: Fri, 22 Mar 2019 12:31:57 +0000 +Subject: [PATCH] fix leak in cloned regexes. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When a regex is cloned for a new thread, the string buffer (which holds +the text of the original pattern) wasn't being freed because SvLEN was +being set to 0. + +For example: + + use threads; + my $r = qr/abc/; + threads->new( sub { 1; })->join; + +In the new thread, $r is cloned but when the thread exits, the string +buffer holding "(?^:abc)" was leaking. + +This was broken by v5.27.2-30-gdf6b4bd565. + +The problem was that in the cloned SV, the buffer was copied, but the +SvLEN(sv) was left set at zero, which along with the SVf_FAKE, mader it +look like the buffer was alien and so not freed. + +SvLEN was 0 in the parent thread's $r, since $r and its compile-time +prototype share the same string buffer (so only the original SV has +SvLEN > 0 - all the copies - within the same thread - have mother_re +pointing to the original). + +When REs are cloned into another thread, mother_re isn't preserved, +so each RE has its own copy of the buffer. + +Signed-off-by: Petr Písař +--- + regcomp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/regcomp.c b/regcomp.c +index 547b9113e3..15783541a4 100644 +--- a/regcomp.c ++++ b/regcomp.c +@@ -20956,6 +20956,11 @@ Perl_re_dup_guts(pTHX_ const REGEXP *sstr, REGEXP *dstr, CLONE_PARAMS *param) + 2: something we no longer hold a reference on + so we need to copy it locally. */ + RX_WRAPPED(dstr) = SAVEPVN(RX_WRAPPED_const(sstr), SvCUR(sstr)+1); ++ /* set malloced length to a non-zero value so it will be freed ++ * (otherwise in combination with SVf_FAKE it looks like an alien ++ * buffer). It doesn't have to be the actual malloced size, since it ++ * should never be grown */ ++ SvLEN_set(dstr, SvCUR(sstr)+1); + ret->mother_re = NULL; + } + #endif /* PERL_IN_XSUB_RE */ +-- +2.20.1 + diff --git a/perl.spec b/perl.spec index fdb8e83..4605223 100644 --- a/perl.spec +++ b/perl.spec @@ -276,6 +276,9 @@ Patch59: perl-5.28.1-PATCH-perl-133880-assertion-failure.patch # in upstream after 5.29.9 Patch60: perl-5.28.1-Fix-POSIX-mblen-mbstate_t-initialization-on-threaded.patch +# Fix a memory leak when cloning a regular expression, in upstream after 5.29.9 +Patch61: perl-5.29.9-fix-leak-in-cloned-regexes.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2892,6 +2895,7 @@ Perl extension for Version Objects %patch58 -p1 %patch59 -p1 %patch60 -p1 +%patch61 -p1 %patch200 -p1 %patch201 -p1 @@ -2944,6 +2948,7 @@ perl -x patchlevel.h \ 'Fedora Patch58: Fix a buffer overread when handling a scope error in qr/\(?{/ (RT#133879)' \ 'Fedora Patch59: Fix a buffer overread when parsing a regular expression with an unknown character name (RT#133880)' \ 'Fedora Patch60: Fix mbstate_t initialization in POSIX::mblen (RT#133928)' \ + 'Fedora Patch61: Fix a memory leak when cloning a regular expression' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5238,6 +5243,7 @@ popd - Fix a buffer overread when parsing a regular expression with an unknown character name (RT#133880) - Fix mbstate_t initialization in POSIX::mblen (RT#133928) +- Fix a memory leak when cloning a regular expression * Tue Mar 05 2019 Björn Esser - 4:5.28.1-434 - Add explicit Requires: libxcrypt-devel to devel sub-package (bug #1666098)