Change Perl_repeatcpy() prototype to allow repeat count above 2^31
This commit is contained in:
Petr Písař
parent
585e8123ab
commit
f757a4d014
|
|
@ -0,0 +1,76 @@
|
|||
From 647b6565b7d935eb9b92e057d0c7ae5fe54726e2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Thu, 6 Oct 2011 16:35:49 +0200
|
||||
Subject: [PATCH] Don't segfault given string repeat count larger than 2^31
|
||||
|
||||
E.g., this overflows INT_MAX and overruns heap memory:
|
||||
|
||||
$ perl -le 'print "v"x(2**31+1)'
|
||||
[Exit 139 (SEGV)]
|
||||
|
||||
(Perl_repeatcpy): Use the same type for "count" as our sole
|
||||
callers in pp.c: IV (long), not I32 (int). Otherwise, passing
|
||||
the wider value to a narrower "I32 count"
|
||||
|
||||
http://thread.gmane.org/gmane.comp.lang.perl.perl5.porters/96812
|
||||
https://rt.perl.org/rt3/Ticket/Display.html?id=94560
|
||||
|
||||
Original author: Jim Meyering <meyering@redhat.com>
|
||||
Petr Pisar: Modify embed.fnc instead of generated proto.h
|
||||
---
|
||||
embed.fnc | 2 +-
|
||||
util.c | 8 ++++----
|
||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/embed.fnc b/embed.fnc
|
||||
index bce167e..8c86a3e 100644
|
||||
--- a/embed.fnc
|
||||
+++ b/embed.fnc
|
||||
@@ -1032,7 +1032,7 @@ EXp |SV*|reg_qr_package|NN REGEXP * const rx
|
||||
|
||||
: FIXME - why the E?
|
||||
Ep |void |regprop |NULLOK const regexp *prog|NN SV* sv|NN const regnode* o
|
||||
-Anp |void |repeatcpy |NN char* to|NN const char* from|I32 len|I32 count
|
||||
+Anp |void |repeatcpy |NN char* to|NN const char* from|I32 len|IV count
|
||||
AnpP |char* |rninstr |NN const char* big|NN const char* bigend \
|
||||
|NN const char* little|NN const char* lend
|
||||
Ap |Sighandler_t|rsignal |int i|Sighandler_t t
|
||||
diff --git a/util.c b/util.c
|
||||
index 0ea39c6..3d4dcc7 100644
|
||||
--- a/util.c
|
||||
+++ b/util.c
|
||||
@@ -3315,7 +3315,7 @@ Perl_my_pclose(pTHX_ PerlIO *ptr)
|
||||
|
||||
#define PERL_REPEATCPY_LINEAR 4
|
||||
void
|
||||
-Perl_repeatcpy(register char *to, register const char *from, I32 len, register I32 count)
|
||||
+Perl_repeatcpy(register char *to, register const char *from, I32 len, register IV count)
|
||||
{
|
||||
PERL_ARGS_ASSERT_REPEATCPY;
|
||||
|
||||
@@ -3323,19 +3323,19 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I
|
||||
memset(to, *from, count);
|
||||
else if (count) {
|
||||
register char *p = to;
|
||||
- I32 items, linear, half;
|
||||
+ IV items, linear, half;
|
||||
|
||||
linear = count < PERL_REPEATCPY_LINEAR ? count : PERL_REPEATCPY_LINEAR;
|
||||
for (items = 0; items < linear; ++items) {
|
||||
register const char *q = from;
|
||||
- I32 todo;
|
||||
+ IV todo;
|
||||
for (todo = len; todo > 0; todo--)
|
||||
*p++ = *q++;
|
||||
}
|
||||
|
||||
half = count / 2;
|
||||
while (items <= half) {
|
||||
- I32 size = items * len;
|
||||
+ IV size = items * len;
|
||||
memcpy(p, to, size);
|
||||
p += size;
|
||||
items *= 2;
|
||||
--
|
||||
1.7.6.4
|
||||
|
||||
11
perl.spec
11
perl.spec
|
|
@ -71,6 +71,10 @@ Patch8: perl-5.14.1-offtest.patch
|
|||
# Fix code injection in Digest, rhbz #743010, RT#71390, fixed in Digest-1.17.
|
||||
Patch9: perl-5.14.2-digest_eval.patch
|
||||
|
||||
# Change Perl_repeatcpy() prototype to allow repeat count above 2^31
|
||||
# rhbz #720610, Perl RT#94560
|
||||
Patch10: perl-5.14.2-large-repeat-heap-abuse.patch
|
||||
|
||||
# Update some of the bundled modules
|
||||
# see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
|
||||
|
||||
|
|
@ -1165,6 +1169,7 @@ tarball from perl.org.
|
|||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
|
||||
#copy the example script
|
||||
cp -a %{SOURCE5} .
|
||||
|
|
@ -1227,6 +1232,9 @@ echo "RPM Build arch: %{_arch}"
|
|||
%global perl_vendorlib %{privlib}/vendor_perl
|
||||
%global perl_vendorarch %{archlib}/vendor_perl
|
||||
|
||||
# For perl-5.14.2-large-repeat-heap-abuse.patch
|
||||
perl regen.pl -v
|
||||
|
||||
/bin/sh Configure -des -Doptimize="$RPM_OPT_FLAGS" \
|
||||
-Dccdlflags="-Wl,--enable-new-dtags" \
|
||||
-DDEBUGGING=-g \
|
||||
|
|
@ -1360,6 +1368,7 @@ pushd %{build_archlib}/CORE/
|
|||
'Fedora Patch6: Skip hostname tests, due to builders not being network capable' \
|
||||
'Fedora Patch7: Dont run one io test due to random builder failures' \
|
||||
'Fedora Patch9: Fix code injection in Digest->new()' \
|
||||
'Fedora Patch10: Change Perl_repeatcpy() to allow count above 2^31' \
|
||||
%{nil}
|
||||
|
||||
rm patchlevel.bak
|
||||
|
|
@ -2290,6 +2299,8 @@ sed \
|
|||
* Thu Oct 06 2011 Petr Pisar <ppisar@redhat.com> - 4:5.14.2-196
|
||||
- Filter false perl(DynaLoader) provide from perl-ExtUtils-MakeMaker
|
||||
(bug #736714)
|
||||
- Change Perl_repeatcpy() prototype to allow repeat count above 2^31
|
||||
(bug #720610)
|
||||
|
||||
* Tue Oct 04 2011 Petr Pisar <ppisar@redhat.com> - 4:5.14.2-195
|
||||
- Fix CVE-2011-3597 (code injection in Digest) (bug #743010)
|
||||
|
|
|
|||
Loading…
Reference in New Issue