From e24a3ce0f29225022672bcd0d92bcfd17d79e4d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Thu, 22 Aug 2019 10:46:53 +0200 Subject: [PATCH] Fix a NULL pointer dereference in PerlIOVia_pushed() --- ...heck-arg-is-non-NULL-before-using-it.patch | 38 +++++++++++++++++++ perl.spec | 10 ++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 perl-5.31.2-PerlIO-Via-check-arg-is-non-NULL-before-using-it.patch diff --git a/perl-5.31.2-PerlIO-Via-check-arg-is-non-NULL-before-using-it.patch b/perl-5.31.2-PerlIO-Via-check-arg-is-non-NULL-before-using-it.patch new file mode 100644 index 0000000..3ded0e2 --- /dev/null +++ b/perl-5.31.2-PerlIO-Via-check-arg-is-non-NULL-before-using-it.patch @@ -0,0 +1,38 @@ +From 12e1284a67e5e3404c704c3f864749fd9f04c7c4 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Wed, 7 Aug 2019 14:58:14 +1000 +Subject: [PATCH] PerlIO::Via: check arg is non-NULL before using it. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +I can't find any code in core that ends up calling the _pushed handler +with arg == NULL, but PerlIO_push() is API, and there might be +CPAN or DarkPAN code out there that does, escpecially since there's +a check for arg being non-NULL further down. + +CID 169261. + +Signed-off-by: Petr Písař +--- + ext/PerlIO-via/via.xs | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/PerlIO-via/via.xs b/ext/PerlIO-via/via.xs +index d91c6855fc..8456242bc0 100644 +--- a/ext/PerlIO-via/via.xs ++++ b/ext/PerlIO-via/via.xs +@@ -134,8 +134,8 @@ PerlIOVia_pushed(pTHX_ PerlIO * f, const char *mode, SV * arg, + { + IV code = PerlIOBase_pushed(aTHX_ f, mode, Nullsv, tab); + +- if (SvTYPE(arg) >= SVt_PVMG +- && mg_findext(arg, PERL_MAGIC_ext, &PerlIOVia_tag)) { ++ if (arg && SvTYPE(arg) >= SVt_PVMG ++ && mg_findext(arg, PERL_MAGIC_ext, &PerlIOVia_tag)) { + return code; + } + +-- +2.21.0 + diff --git a/perl.spec b/perl.spec index 0500e80..134f525 100644 --- a/perl.spec +++ b/perl.spec @@ -85,7 +85,7 @@ License: GPL+ or Artistic Epoch: %{perl_epoch} Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 443%{?dist} +Release: 444%{?dist} Summary: Practical Extraction and Report Language Url: https://www.perl.org/ Source0: https://www.cpan.org/src/5.0/perl-%{perl_version}.tar.xz @@ -246,6 +246,9 @@ Patch47: perl-5.31.2-avoid-use-after-free-in.patch # in upstream after 5.31.2 Patch48: perl-5.31.2-locale.c-Stop-Coverity-warning.patch +# Fix a NULL pointer dereference in PerlIOVia_pushed(), fixed after 5.31.2 +Patch49: perl-5.31.2-PerlIO-Via-check-arg-is-non-NULL-before-using-it.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2816,6 +2819,7 @@ Perl extension for Version Objects %patch46 -p1 %patch47 -p1 %patch48 -p1 +%patch49 -p1 %patch200 -p1 %patch201 -p1 @@ -2871,6 +2875,7 @@ perl -x patchlevel.h \ 'Fedora Patch46: Include trailing zero in scalars holding trie data (RT#134207)' \ 'Fedora Patch47: Fix a use after free in /(?{...})/ (RT#134208)' \ 'Fedora Patch48: Fix a use after free in debugging output of a collation' \ + 'Fedora Patch49: Fix a NULL pointer dereference in PerlIOVia_pushed()' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5116,6 +5121,9 @@ popd # Old changelog entries are preserved in CVS. %changelog +* Thu Aug 22 2019 Petr Pisar - 4:5.30.0-444 +- Fix a NULL pointer dereference in PerlIOVia_pushed() + * Wed Aug 07 2019 Petr Pisar - 4:5.30.0-443 - Fix propagating non-string variables in an exception value (RT#134291) - Include trailing zero in scalars holding trie data (RT#134207)