From d959a0725c7e4e8627b77a3e285512210898a3f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Fri, 5 Apr 2019 16:07:10 +0200 Subject: [PATCH] Fix a buffer overread when parsing a regular expression with an unknown character name --- ...-PATCH-perl-133880-assertion-failure.patch | 69 +++++++++++++++++++ perl.spec | 8 +++ 2 files changed, 77 insertions(+) create mode 100644 perl-5.28.1-PATCH-perl-133880-assertion-failure.patch diff --git a/perl-5.28.1-PATCH-perl-133880-assertion-failure.patch b/perl-5.28.1-PATCH-perl-133880-assertion-failure.patch new file mode 100644 index 0000000..b8a0b46 --- /dev/null +++ b/perl-5.28.1-PATCH-perl-133880-assertion-failure.patch @@ -0,0 +1,69 @@ +From d434dd3ec16dc1202626e9868f177203e2a86da5 Mon Sep 17 00:00:00 2001 +From: Karl Williamson +Date: Thu, 21 Mar 2019 09:35:49 -0600 +Subject: [PATCH] PATCH: [perl #133880] assertion failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This was caused by attempting to continue parsing after an error is +found, and later assuming that what came before was valid. The fix is +to put in something valid that's usable until the parse eventually dies +from what caused this, or some other error. + +Signed-off-by: Ported to 5.28.1 from +ef65a74af186beb93566cf827c5f543f4aa14645. +Signed-off-by: Petr Písař +--- + t/op/tr.t | 8 +++++++- + toke.c | 8 ++++++-- + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/t/op/tr.t b/t/op/tr.t +index 0f74936..47d603d 100644 +--- a/t/op/tr.t ++++ b/t/op/tr.t +@@ -13,7 +13,7 @@ BEGIN { + + use utf8; + +-plan tests => 300; ++plan tests => 301; + + # Test this first before we extend the stack with other operations. + # This caused an asan failure due to a bad write past the end of the stack. +@@ -1137,6 +1137,12 @@ for ("", nullrocow) { + [\x{E5CD}-\x{E5DF}\x{EA80}-\x{EAFA}\x{EB0E}-\x{EB8E}\x{EAFB}-\x{EB0D}\x{E5B5}-\x{E5CC}]; + + is $x, "\x{E5CE}", '[perl #130656]'; ++ ++} ++ ++{ ++ fresh_perl_like('y/\x{a00}0-\N{}//', qr/Unknown charname/, { }, ++ 'RT #133880 illegal \N{}'); + } + + 1; +diff --git a/toke.c b/toke.c +index 3164df5..4747ef5 100644 +--- a/toke.c ++++ b/toke.c +@@ -3770,8 +3770,12 @@ S_scan_const(pTHX_ char *start) + } + } + else /* Here is \N{NAME} but not \N{U+...}. */ +- if ((res = get_and_check_backslash_N_name(s, e))) +- { ++ if (! (res = get_and_check_backslash_N_name(s, e))) ++ { /* Failed. We should die eventually, but for now use a NUL ++ to keep parsing */ ++ *d++ = '\0'; ++ } ++ else { /* Successfully evaluated the name */ + STRLEN len; + const char *str = SvPV_const(res, len); + if (PL_lex_inpat) { +-- +2.20.1 + diff --git a/perl.spec b/perl.spec index 0080681..b72e84f 100644 --- a/perl.spec +++ b/perl.spec @@ -268,6 +268,10 @@ Patch57: perl-5.29.8-fix-blead-on-non-threaded-builds.patch # in upstream after 5.29.8 Patch58: perl-5.29.8-handle-scope-error-in-qr.patch +# Fix a buffer overread when parsing a regular expression with an unknown +# character name, RT#133880, in upstream after 5.29.9 +Patch59: perl-5.28.1-PATCH-perl-133880-assertion-failure.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2882,6 +2886,7 @@ Perl extension for Version Objects %patch56 -p1 %patch57 -p1 %patch58 -p1 +%patch59 -p1 %patch200 -p1 %patch201 -p1 @@ -2932,6 +2937,7 @@ perl -x patchlevel.h \ 'Fedora Patch55: Fix extending a stack in Perl parser (RT#133778)' \ 'Fedora Patch56: Fix a leak when compiling a typed hash dereference' \ 'Fedora Patch58: Fix a buffer overread when handling a scope error in qr/\(?{/ (RT#133879)' \ + 'Fedora Patch59: Fix a buffer overread when parsing a regular expression with an unknown character name (RT#133880)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5223,6 +5229,8 @@ popd * Fri Apr 05 2019 Petr Pisar - 4:5.28.1-435 - Fix a leak when compiling a typed hash dereference - Fix a buffer overread when handling a scope error in qr/\(?{/ (RT#133879) +- Fix a buffer overread when parsing a regular expression with an unknown + character name (RT#133880) * Tue Mar 05 2019 Björn Esser - 4:5.28.1-434 - Add explicit Requires: libxcrypt-devel to devel sub-package (bug #1666098)