From f526e67959f78d36dea5aeff190718529026cd36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 15 Jan 2019 09:09:56 +0100
Subject: [PATCH] Prevent long jumps from clobbering local variables

---
 ...ent-set-longjmp-clobbering-locals-in.patch | 111 ++++++++++++++++++
 perl.spec                                     |   7 ++
 2 files changed, 118 insertions(+)
 create mode 100644 perl-5.29.6-perl-133575-prevent-set-longjmp-clobbering-locals-in.patch

diff --git a/perl-5.29.6-perl-133575-prevent-set-longjmp-clobbering-locals-in.patch b/perl-5.29.6-perl-133575-prevent-set-longjmp-clobbering-locals-in.patch
new file mode 100644
index 0000000..2da159b
--- /dev/null
+++ b/perl-5.29.6-perl-133575-prevent-set-longjmp-clobbering-locals-in.patch
@@ -0,0 +1,111 @@
+From 35ad0133df9b65a4e32f2f07a2a05b387bd79591 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Thu, 3 Jan 2019 10:48:05 +1100
+Subject: [PATCH] (perl #133575) prevent set/longjmp clobbering locals in
+ S_fold_constants
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+My original approach moved the whole switch into the new function,
+but that was a lot messier, and I don't think it's necessary.
+
+pad_swipe() can throw, but only for panics, and in DESTROY if
+refadjust is true, which isn't the case here.
+
+CLEAR_ERRSV() might throw if the code called by CALLRUNOPS()
+puts an object that dies in DESTROY in $@, but I think that
+might cause an infinite loop in the original code.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ op.c | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/op.c b/op.c
+index 146407ba70..0b46b348cb 100644
+--- a/op.c
++++ b/op.c
+@@ -5464,15 +5464,34 @@ S_op_integerize(pTHX_ OP *o)
+     return o;
+ }
+ 
++/* This function exists solely to provide a scope to limit
++   setjmp/longjmp() messing with auto variables.
++ */
++PERL_STATIC_INLINE int
++S_fold_constants_eval(pTHX) {
++    int ret = 0;
++    dJMPENV;
++
++    JMPENV_PUSH(ret);
++
++    if (ret == 0) {
++	CALLRUNOPS(aTHX);
++    }
++
++    JMPENV_POP;
++
++    return ret;
++}
++
+ static OP *
+ S_fold_constants(pTHX_ OP *const o)
+ {
+     dVAR;
+-    OP * volatile curop;
++    OP *curop;
+     OP *newop;
+-    volatile I32 type = o->op_type;
++    I32 type = o->op_type;
+     bool is_stringify;
+-    SV * volatile sv = NULL;
++    SV *sv = NULL;
+     int ret = 0;
+     OP *old_next;
+     SV * const oldwarnhook = PL_warnhook;
+@@ -5480,7 +5499,6 @@ S_fold_constants(pTHX_ OP *const o)
+     COP not_compiling;
+     U8 oldwarn = PL_dowarn;
+     I32 old_cxix;
+-    dJMPENV;
+ 
+     PERL_ARGS_ASSERT_FOLD_CONSTANTS;
+ 
+@@ -5582,15 +5600,15 @@ S_fold_constants(pTHX_ OP *const o)
+     assert(IN_PERL_RUNTIME);
+     PL_warnhook = PERL_WARNHOOK_FATAL;
+     PL_diehook  = NULL;
+-    JMPENV_PUSH(ret);
+ 
+     /* Effective $^W=1.  */
+     if ( ! (PL_dowarn & G_WARN_ALL_MASK))
+ 	PL_dowarn |= G_WARN_ON;
+ 
++    ret = S_fold_constants_eval(aTHX);
++
+     switch (ret) {
+     case 0:
+-	CALLRUNOPS(aTHX);
+ 	sv = *(PL_stack_sp--);
+ 	if (o->op_targ && sv == PAD_SV(o->op_targ)) {	/* grab pad temp? */
+ 	    pad_swipe(o->op_targ,  FALSE);
+@@ -5608,7 +5626,6 @@ S_fold_constants(pTHX_ OP *const o)
+ 	o->op_next = old_next;
+ 	break;
+     default:
+-	JMPENV_POP;
+ 	/* Don't expect 1 (setjmp failed) or 2 (something called my_exit)  */
+ 	PL_warnhook = oldwarnhook;
+ 	PL_diehook  = olddiehook;
+@@ -5616,7 +5633,6 @@ S_fold_constants(pTHX_ OP *const o)
+ 	 * the stack - eg any nested evals */
+ 	Perl_croak(aTHX_ "panic: fold_constants JMPENV_PUSH returned %d", ret);
+     }
+-    JMPENV_POP;
+     PL_dowarn   = oldwarn;
+     PL_warnhook = oldwarnhook;
+     PL_diehook  = olddiehook;
+-- 
+2.17.2
+
diff --git a/perl.spec b/perl.spec
index 7334b51..e930b8a 100644
--- a/perl.spec
+++ b/perl.spec
@@ -239,6 +239,10 @@ Patch47:        perl-5.29.6-perl-132158-abort-compilation-if-we-see-an-error-com
 # in upstream after 5.29.6
 Patch48:        perl-5.29.6-regen-warnings.pl-Fix-undefined-C-behavior.patch
 
+# Prevent long jumps from clobbering local variables, RT#133575,
+# in upstream after 5.29.6
+Patch49:        perl-5.29.6-perl-133575-prevent-set-longjmp-clobbering-locals-in.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -2841,6 +2845,7 @@ Perl extension for Version Objects
 %patch46 -p1
 %patch47 -p1
 %patch48 -p1
+%patch49 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -2883,6 +2888,7 @@ perl -x patchlevel.h \
     'Fedora Patch45: Fix first eof() return value (RT#133721)' \
     'Fedora Patch47: Fix a crash when compiling a malformed form (RT#132158)' \
     'Fedora Patch48: Fix un undefined C behavior in NULL pointer arithmetics (RT#133223)' \
+    'Fedora Patch49: Prevent long jumps from clobbering local variables (RT#133575)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -5178,6 +5184,7 @@ popd
 - Fix first eof() return value (RT#133721)
 - Fix a crash when compiling a malformed form (RT#132158)
 - Fix un undefined C behavior in NULL pointer arithmetics (RT#133223)
+- Prevent long jumps from clobbering local variables (RT#133575)
 
 * Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 4:5.28.1-429
 - Rebuilt for libcrypt.so.2 (#1666033)