Change Perl_repeatcpy() prototype to allow repeat count above 2^31

2011-10-06 17:43:19 +02:00 · 2011-10-06 17:43:19 +02:00 · f757a4d014
commit f757a4d014
parent 585e8123ab
2 changed files with 87 additions and 0 deletions
--- a/perl-5.14.2-large-repeat-heap-abuse.patch
+++ b/perl-5.14.2-large-repeat-heap-abuse.patch
@ -0,0 +1,76 @@
+From 647b6565b7d935eb9b92e057d0c7ae5fe54726e2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 6 Oct 2011 16:35:49 +0200
+Subject: [PATCH] Don't segfault given string repeat count larger than 2^31
+
+E.g., this overflows INT_MAX and overruns heap memory:
+
+    $ perl -le 'print "v"x(2**31+1)'
+    [Exit 139 (SEGV)]
+
+(Perl_repeatcpy): Use the same type for "count" as our sole
+callers in pp.c: IV (long), not I32 (int).  Otherwise, passing
+the wider value to a narrower "I32 count"
+
+    http://thread.gmane.org/gmane.comp.lang.perl.perl5.porters/96812
+    https://rt.perl.org/rt3/Ticket/Display.html?id=94560
+
+Original author: Jim Meyering <meyering@redhat.com>
+Petr Pisar: Modify embed.fnc instead of generated proto.h
+---
+ embed.fnc |    2 +-
+ util.c    |    8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/embed.fnc b/embed.fnc
+index bce167e..8c86a3e 100644
+--- a/embed.fnc
+++ b/embed.fnc
+@@ -1032,7 +1032,7 @@ EXp	|SV*|reg_qr_package|NN REGEXP * const rx
+ 
+ : FIXME - why the E?
+ Ep	|void	|regprop	|NULLOK const regexp *prog|NN SV* sv|NN const regnode* o
+-Anp	|void	|repeatcpy	|NN char* to|NN const char* from|I32 len|I32 count
+Anp	|void	|repeatcpy	|NN char* to|NN const char* from|I32 len|IV count
+ AnpP	|char*	|rninstr	|NN const char* big|NN const char* bigend \
+ 				|NN const char* little|NN const char* lend
+ Ap	|Sighandler_t|rsignal	|int i|Sighandler_t t
+diff --git a/util.c b/util.c
+index 0ea39c6..3d4dcc7 100644
+--- a/util.c
+++ b/util.c
+@@ -3315,7 +3315,7 @@ Perl_my_pclose(pTHX_ PerlIO *ptr)
+ 
+ #define PERL_REPEATCPY_LINEAR 4
+ void
+-Perl_repeatcpy(register char *to, register const char *from, I32 len, register I32 count)
+Perl_repeatcpy(register char *to, register const char *from, I32 len, register IV count)
+ {
+     PERL_ARGS_ASSERT_REPEATCPY;
+ 
+@@ -3323,19 +3323,19 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I
+ 	memset(to, *from, count);
+     else if (count) {
+ 	register char *p = to;
+-	I32 items, linear, half;
+	IV items, linear, half;
+ 
+ 	linear = count < PERL_REPEATCPY_LINEAR ? count : PERL_REPEATCPY_LINEAR;
+ 	for (items = 0; items < linear; ++items) {
+ 	    register const char *q = from;
+-	    I32 todo;
+	    IV todo;
+ 	    for (todo = len; todo > 0; todo--)
+ 		*p++ = *q++;
+         }
+ 
+ 	half = count / 2;
+ 	while (items <= half) {
+-	    I32 size = items * len;
+	    IV size = items * len;
+ 	    memcpy(p, to, size);
+ 	    p     += size;
+ 	    items *= 2;
+-- 
+1.7.6.4
+
--- a/perl.spec
+++ b/perl.spec
@ -71,6 +71,10 @@ Patch8:         perl-5.14.1-offtest.patch
 # Fix code injection in Digest, rhbz #743010, RT#71390, fixed in Digest-1.17.
 Patch9:         perl-5.14.2-digest_eval.patch

+# Change Perl_repeatcpy() prototype to allow repeat count above 2^31
+# rhbz #720610, Perl RT#94560
+Patch10:        perl-5.14.2-large-repeat-heap-abuse.patch
+
 # Update some of the bundled modules
 # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions

@ -1165,6 +1169,7 @@ tarball from perl.org.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1

 #copy the example script
 cp -a %{SOURCE5} .
@ -1227,6 +1232,9 @@ echo "RPM Build arch: %{_arch}"
 %global perl_vendorlib  %{privlib}/vendor_perl
 %global perl_vendorarch %{archlib}/vendor_perl

+# For perl-5.14.2-large-repeat-heap-abuse.patch 
+perl regen.pl -v
+
 /bin/sh Configure -des -Doptimize="$RPM_OPT_FLAGS" \
        -Dccdlflags="-Wl,--enable-new-dtags" \
        -DDEBUGGING=-g \
@ -1360,6 +1368,7 @@ pushd %{build_archlib}/CORE/
    'Fedora Patch6: Skip hostname tests, due to builders not being network capable' \
    'Fedora Patch7: Dont run one io test due to random builder failures' \
    'Fedora Patch9: Fix code injection in Digest->new()' \
+    'Fedora Patch10: Change Perl_repeatcpy() to allow count above 2^31' \ 
    %{nil}

 rm patchlevel.bak
@ -2290,6 +2299,8 @@ sed \
 * Thu Oct 06 2011 Petr Pisar <ppisar@redhat.com> - 4:5.14.2-196
 - Filter false perl(DynaLoader) provide from perl-ExtUtils-MakeMaker
  (bug #736714)
+- Change Perl_repeatcpy() prototype to allow repeat count above 2^31
+  (bug #720610)

 * Tue Oct 04 2011 Petr Pisar <ppisar@redhat.com> - 4:5.14.2-195
 - Fix CVE-2011-3597 (code injection in Digest) (bug #743010)