diff --git a/perl-5.24.0-perl-129164-Crash-with-splice.patch b/perl-5.24.0-perl-129164-Crash-with-splice.patch new file mode 100644 index 0000000..44dbe0c --- /dev/null +++ b/perl-5.24.0-perl-129164-Crash-with-splice.patch @@ -0,0 +1,79 @@ +From 54550573a613ad20f00521880f345644a1db85cc Mon Sep 17 00:00:00 2001 +From: Father Chrysostomos +Date: Sun, 11 Sep 2016 21:29:56 -0700 +Subject: [PATCH] Crash with splice +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported to 5.24.0: + +commit 92b69f6501b4d7351e09c8b1ddd386aa7e1c9cd1 +Author: Father Chrysostomos +Date: Sun Sep 11 21:29:56 2016 -0700 + + [perl #129164] Crash with splice + + This fixes #129166 and #129167 as well. + + splice needs to take into account that arrays can hold NULLs and + return &PL_sv_undef in those cases where it would have returned a + NULL element. + +Signed-off-by: Petr Písař +--- + pp.c | 4 ++++ + t/op/array.t | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/pp.c b/pp.c +index 4a2cde0..4153482 100644 +--- a/pp.c ++++ b/pp.c +@@ -5488,6 +5488,8 @@ PP(pp_splice) + for (i = length - 1, dst = &AvARRAY(ary)[offset]; i > 0; i--) + SvREFCNT_dec(*dst++); /* free them now */ + } ++ if (!*MARK) ++ *MARK = &PL_sv_undef; + } + AvFILLp(ary) += diff; + +@@ -5584,6 +5586,8 @@ PP(pp_splice) + while (length-- > 0) + SvREFCNT_dec(tmparyval[length]); + } ++ if (!*MARK) ++ *MARK = &PL_sv_undef; + } + else + *MARK = &PL_sv_undef; +diff --git a/t/op/array.t b/t/op/array.t +index 4f0a772..fb4e8c6 100644 +--- a/t/op/array.t ++++ b/t/op/array.t +@@ -555,4 +555,21 @@ is $#foo, 3, 'assigning to arylen aliased in foreach(scalar $#arylen)'; + is "@a", 'a b c', 'assigning to itself'; + } + ++# [perl #129164], [perl #129166], [perl #129167] ++# splice() with null array entries ++# These used to crash. ++$#a = -1; $#a++; ++() = 0-splice @a; # subtract ++$#a = -1; $#a++; ++() = -splice @a; # negate ++$#a = -1; $#a++; ++() = 0+splice @a; # add ++# And with array expansion, too ++$#a = -1; $#a++; ++() = 0-splice @a, 0, 1, 1, 1; ++$#a = -1; $#a++; ++() = -splice @a, 0, 1, 1, 1; ++$#a = -1; $#a++; ++() = 0+splice @a, 0, 1, 1, 1; ++ + "We're included by lib/Tie/Array/std.t so we need to return something true"; +-- +2.7.4 + diff --git a/perl.spec b/perl.spec index 6a5811a..3e66fc7 100644 --- a/perl.spec +++ b/perl.spec @@ -188,6 +188,9 @@ Patch45: perl-5.25.4-perl-129196-Crash-bad-read-with-evalbytes-S.patch Patch46: perl-5.24.0-Regression-test-for-RT-129196.patch Patch47: perl-5.25.4-toke.c-fix-mswin32-builds.patch +# Fix crash in splice, RT#129164, RT#129166, RT#129167, in upstream after 5.25.4 +Patch48: perl-5.24.0-perl-129164-Crash-with-splice.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2858,6 +2861,7 @@ Perl extension for Version Objects %patch45 -p1 %patch46 -p1 %patch47 -p1 +%patch48 -p1 %patch200 -p1 %patch201 -p1 @@ -2896,6 +2900,7 @@ perl -x patchlevel.h \ 'Fedora Patch45: Fix crash in "evalbytes S" (RT#129196)' \ 'Fedora Patch46: Fix crash in "evalbytes S" (RT#129196)' \ 'Fedora Patch47: Fix crash in "evalbytes S" (RT#129196)' \ + 'Fedora Petch48: Fix crash in splice (RT#129164, RT#129166, RT#129167)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5176,6 +5181,7 @@ popd %changelog * Thu Nov 03 2016 Petr Pisar - 4:5.24.0-379 - Fix crash in "evalbytes S" (RT#129196) +- Fix crash in splice (RT#129164, RT#129166, RT#129167) * Fri Sep 02 2016 Petr Pisar - 4:5.24.0-378 - perl-core depends on Parse::CPAN::Meta module instead of package name to allow