rpms/perl
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix an invalid memory read when parsing a loop variable

Browse Source
This commit is contained in:
Petr Písař 2017-03-08 12:41:54 +01:00
parent d61d60edb3
commit c63d747d11
5 changed files with 239 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
perl-5.24.1-perl-130814-update-pointer-into-PL_linestr-after-loo.patch Normal file
View File

@ -0,0 +1,50 @@
From 9df34f9c4701104a366e768237ca694411136d2a Mon Sep 17 00:00:00 2001
From: Hugo van der Sanden <hv@crypt.org>
Date: Sun, 19 Feb 2017 10:46:09 +0000
Subject: [PATCH] update pointer into PL_linestr after lookahead
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ported to: 5.24.1:
commit 90f2cc9a600117a49f8ee3e30cc681f062350c24
Author: Hugo van der Sanden <hv@crypt.org>
Date: Sun Feb 19 10:46:09 2017 +0000
[perl #130814] update pointer into PL_linestr after lookahead
Looking ahead for the "Missing $ on loop variable" diagnostic can reallocate
PL_linestr, invalidating our pointer. Save the offset so we can update it
in that case.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
toke.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/toke.c b/toke.c
index 630fc59..029d2ea 100644
--- a/toke.c
+++ b/toke.c
@@ -7565,6 +7565,7 @@ Perl_yylex(pTHX)
s = skipspace(s);
if (PL_expect == XSTATE && isIDFIRST_lazy_if(s,UTF)) {
char *p = s;
+ SSize_t s_off = s - SvPVX(PL_linestr);
if ((PL_bufend - p) >= 3
&& strnEQ(p, "my", 2) && isSPACE(*(p + 2)))
@@ -7582,6 +7583,9 @@ Perl_yylex(pTHX)
}
if (*p != '$')
Perl_croak(aTHX_ "Missing $ on loop variable");
+
+ /* The buffer may have been reallocated, update s */
+ s = SvPVX(PL_linestr) + s_off;
}
OPERATOR(FOR);
--
2.7.4

44
perl-5.25.10-fix-VMS-test-fail.patch Normal file
View File

@ -0,0 +1,44 @@
From bce4a2abeb8652d19e97d3bf07dd2580a3cc2e6c Mon Sep 17 00:00:00 2001
From: Hugo van der Sanden <hv@crypt.org>
Date: Sat, 25 Feb 2017 10:42:17 +0000
Subject: [PATCH] fix VMS test fail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
d7186add added a runperl() test that breaks command line length limits for
VMS. Switch to fresh_perl() instead, so the prog is put in a file for us.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
t/comp/parser_run.t | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t
index 2543f49..e74644d 100644
--- a/t/comp/parser_run.t
+++ b/t/comp/parser_run.t
@@ -14,14 +14,14 @@ plan(1);
# [perl #130814] can reallocate lineptr while looking ahead for
# "Missing $ on loop variable" diagnostic.
-my $result = runperl(
- prog => " foreach m0\n\$" . ("0" x 0x2000),
- stderr => 1,
+my $result = fresh_perl(
+ " foreach m0\n\$" . ("0" x 0x2000),
+ { stderr => 1 },
);
-is($result, <<EXPECT);
-syntax error at -e line 3, near "foreach m0
+is($result . "\n", <<EXPECT);
+syntax error at - line 3, near "foreach m0
"
-Identifier too long at -e line 3.
+Identifier too long at - line 3.
EXPECT
__END__
--
2.7.4

55
perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch Normal file
View File

@ -0,0 +1,55 @@
From d7186addd1b477f6bdcef5e9d24f2125691a9082 Mon Sep 17 00:00:00 2001
From: Hugo van der Sanden <hv@crypt.org>
Date: Sun, 19 Feb 2017 11:15:38 +0000
Subject: [PATCH] [perl #130814] Add testcase, and new testfile
t/comp/parser_run.t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sometimes it's useful to have test.pl around, but it seems inappropriate
to pollute the existing t/comp/parser.t with that.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
t/comp/parser_run.t | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
create mode 100644 t/comp/parser_run.t
diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t
new file mode 100644
index 0000000..2543f49
--- /dev/null
+++ b/t/comp/parser_run.t
@@ -0,0 +1,28 @@
+#!./perl
+
+# Parser tests that want test.pl, eg to use runperl() for tests to show
+# reads through invalid pointers.
+# Note that this should still be runnable under miniperl.
+
+BEGIN {
+ @INC = qw(. ../lib );
+ chdir 't' if -d 't';
+}
+
+require './test.pl';
+plan(1);
+
+# [perl #130814] can reallocate lineptr while looking ahead for
+# "Missing $ on loop variable" diagnostic.
+my $result = runperl(
+ prog => " foreach m0\n\$" . ("0" x 0x2000),
+ stderr => 1,
+);
+is($result, <<EXPECT);
+syntax error at -e line 3, near "foreach m0
+"
+Identifier too long at -e line 3.
+EXPECT
+
+__END__
+# ex: set ts=8 sts=4 sw=4 et:
--
2.7.4

74
perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch Normal file
View File

@ -0,0 +1,74 @@
From f6203e997f3012b8aab4cd35fe49f58e4d71fb8c Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Sun, 10 Jul 2016 22:06:12 -0600
Subject: [PATCH] t/test.pl: Add fresh_perl() function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This will be useful for cases where the results don't readily fall into
fresh_perl_is and fresh_perl_like, such as when a bunch of massaging of
the results is needed before it is convenient to test them.
fresh_perl_like() could be used, but in the case of failure there could
be lines and lines of noise output.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
t/test.pl | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/t/test.pl b/t/test.pl
index 41b77f4..20d08e9 100644
--- a/t/test.pl
+++ b/t/test.pl
@@ -953,11 +953,16 @@ sub register_tempfile {
return $count;
}
-# This is the temporary file for _fresh_perl
+# This is the temporary file for fresh_perl
my $tmpfile = tempfile();
-sub _fresh_perl {
- my($prog, $action, $expect, $runperl_args, $name) = @_;
+sub fresh_perl {
+ my($prog, $runperl_args) = @_;
+
+ # Run 'runperl' with the complete perl program contained in '$prog', and
+ # arguments in the hash referred to by '$runperl_args'. The results are
+ # returned, with $? set to the exit code. Unless overridden, stderr is
+ # redirected to stdout.
# Given the choice of the mis-parsable {}
# (we want an anon hash, but a borked lexer might think that it's a block)
@@ -975,7 +980,8 @@ sub _fresh_perl {
close TEST or die "Cannot close $tmpfile: $!";
my $results = runperl(%$runperl_args);
- my $status = $?;
+ my $status = $?; # Not necessary to save this, but it makes it clear to
+ # future maintainers.
# Clean up the results into something a bit more predictable.
$results =~ s/\n+$//;
@@ -994,6 +1000,17 @@ sub _fresh_perl {
$results =~ s/\n\n/\n/g;
}
+ $? = $status;
+ return $results;
+}
+
+
+sub _fresh_perl {
+ my($prog, $action, $expect, $runperl_args, $name) = @_;
+
+ my $results = fresh_perl($prog, $runperl_args);
+ my $status = $?;
+
# Use the first line of the program as a name if none was given
unless( $name ) {
($first_line, $name) = $prog =~ /^((.{1,50}).*)/;
--
2.7.4

16
perl.spec
View File

@ -313,6 +313,16 @@ Patch88: perl-5.24.1-perl-129340-copy-the-source-when-inside-the-dest-in-
# in upstream after 5.25.10 # in upstream after 5.25.10
Patch89: perl-5.24.1-perl-130822-fix-an-AV-leak-in-Perl_reg_named_buff_fe.patch Patch89: perl-5.24.1-perl-130822-fix-an-AV-leak-in-Perl_reg_named_buff_fe.patch
# Fix an invalid memory read when parsing a loop variable, RT#130814,
# in upstream after 5.25.10
Patch90: perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch
# in upstream after 5.25.10
Patch91: perl-5.24.1-perl-130814-update-pointer-into-PL_linestr-after-loo.patch
# in upstream after 5.25.2
Patch92: perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch
# in upstream after 5.25.10
Patch93: perl-5.25.10-fix-VMS-test-fail.patch
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -3028,6 +3038,10 @@ popd
%patch87 -p1 %patch87 -p1
%patch88 -p1 %patch88 -p1
%patch89 -p1 %patch89 -p1
%patch90 -p1
%patch91 -p1
%patch92 -p1
%patch93 -p1
%patch200 -p1 %patch200 -p1
%patch201 -p1 %patch201 -p1
@ -3102,6 +3116,7 @@ perl -x patchlevel.h \
'Fedora Patch87: Fix a null-pointer dereference on malformed code (RT#130815)' \ 'Fedora Patch87: Fix a null-pointer dereference on malformed code (RT#130815)' \
'Fedora Patch88: Fix an use-after-free in substr() that modifies a magic variable (RT#129340)' \ 'Fedora Patch88: Fix an use-after-free in substr() that modifies a magic variable (RT#129340)' \
'Fedora Patch89: Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)' \ 'Fedora Patch89: Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)' \
'Fedora Patch90: Fix an invalid memory read when parsing a loop variable (RT#130814)' \
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
%{nil} %{nil}
@ -5382,6 +5397,7 @@ popd
- Fix a null-pointer dereference on malformed code (RT#130815) - Fix a null-pointer dereference on malformed code (RT#130815)
- Fix an use-after-free in substr() that modifies a magic variable (RT#129340) - Fix an use-after-free in substr() that modifies a magic variable (RT#129340)
- Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822) - Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)
- Fix an invalid memory read when parsing a loop variable (RT#130814)
* Fri Feb 17 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-389 * Fri Feb 17 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-389
- Adapt Compress::Raw::Zlib to zlib-1.2.11 (bug #1420326) - Adapt Compress::Raw::Zlib to zlib-1.2.11 (bug #1420326)