diff --git a/perl-5.27.7-perl-131954-don-t-initialize-mark-before-a-possible-.patch b/perl-5.27.7-perl-131954-don-t-initialize-mark-before-a-possible-.patch new file mode 100644 index 0000000..7fd33d6 --- /dev/null +++ b/perl-5.27.7-perl-131954-don-t-initialize-mark-before-a-possible-.patch @@ -0,0 +1,92 @@ +From 57bd660029d94312ca4eb88993889d981f41b484 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Thu, 24 Aug 2017 15:52:33 +1000 +Subject: [PATCH] (perl #131954) don't initialize mark before a possible move + of the stack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Petr Písař +--- + pp.c | 4 +++- + t/op/list.t | 42 +++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 44 insertions(+), 2 deletions(-) + +diff --git a/pp.c b/pp.c +index ae6d9c94d1..4b1ccbba80 100644 +--- a/pp.c ++++ b/pp.c +@@ -5104,9 +5104,11 @@ PP(pp_list) + { + I32 markidx = POPMARK; + if (GIMME_V != G_ARRAY) { +- SV **mark = PL_stack_base + markidx; ++ /* don't initialize mark here, EXTEND() may move the stack */ ++ SV **mark; + dSP; + EXTEND(SP, 1); /* in case no arguments, as in @empty */ ++ mark = PL_stack_base + markidx; + if (++MARK <= SP) + *MARK = *SP; /* unwanted list, return last item */ + else +diff --git a/t/op/list.t b/t/op/list.t +index 3f9487b96f..2acb03a321 100644 +--- a/t/op/list.t ++++ b/t/op/list.t +@@ -6,7 +6,7 @@ BEGIN { + set_up_inc(qw(. ../lib)); + } + +-plan( tests => 71 ); ++plan( tests => 72 ); + + @foo = (1, 2, 3, 4); + cmp_ok($foo[0], '==', 1, 'first elem'); +@@ -228,3 +228,43 @@ ok(($0[()[()]],1), "[perl #126193] list slice with zero indexes"); + @x; + pass('no panic'); # panics only under DEBUGGING + } ++ ++fresh_perl_is(<<'EOS', "", {}, "[perl #131954] heap use after free in pp_list"); ++#!./perl ++BEGIN { ++my $bar = "bar"; ++ ++sub test_no_error { ++ eval $_[0]; ++} ++ ++test_no_error($_) for split /\n/, ++q[ x ++ definfoo, $bar; ++ x ++ x ++ x ++ grep((not $bar, $bar, $bar), $bar); ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ x ++ ]; ++} ++EOS +-- +2.13.6 + diff --git a/perl.spec b/perl.spec index 07987ee..b6c2dc7 100644 --- a/perl.spec +++ b/perl.spec @@ -269,6 +269,10 @@ Patch79: perl-5.27.8-hints-linux-Add-lphtread-to-lddlflags.patch # in upstream after 5.27.7 Patch80: perl-5.26.1-fix-parsing-of-braced-subscript-after-parens.patch +# Fix a heap use after free when moving a stack, RT#131954, +# in upstream after 5.27.7 +Patch81: perl-5.27.7-perl-131954-don-t-initialize-mark-before-a-possible-.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2864,6 +2868,7 @@ Perl extension for Version Objects %patch78 -p1 %patch79 -p1 %patch80 -p1 +%patch81 -p1 %patch200 -p1 %patch201 -p1 @@ -2915,6 +2920,7 @@ perl -x patchlevel.h \ 'Fedora Patch78: Fix compatibility with libxcrypt (bug #1536752)' \ 'Fedora Patch79: Link XS modules to pthread library to fix linking with -z defs' \ 'Fedora Patch80: Fix parsing braced subscript after parentheses (RT#8045)' \ + 'Fedora Patch81: Fix a heap use after free when moving a stack (RT#131954)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5206,6 +5212,7 @@ popd %changelog * Tue Feb 06 2018 Petr Pisar - 4:5.26.1-407 - Fix parsing braced subscript after parentheses (RT#8045) +- Fix a heap use after free when moving a stack (RT#131954) * Thu Feb 01 2018 Petr Pisar - 4:5.26.1-406 - Correct shell bangs in tests