diff --git a/perl-5.14.2-large-repeat-heap-abuse.patch b/perl-5.14.2-large-repeat-heap-abuse.patch new file mode 100644 index 0000000..1793c7a --- /dev/null +++ b/perl-5.14.2-large-repeat-heap-abuse.patch @@ -0,0 +1,76 @@ +From 647b6565b7d935eb9b92e057d0c7ae5fe54726e2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 6 Oct 2011 16:35:49 +0200 +Subject: [PATCH] Don't segfault given string repeat count larger than 2^31 + +E.g., this overflows INT_MAX and overruns heap memory: + + $ perl -le 'print "v"x(2**31+1)' + [Exit 139 (SEGV)] + +(Perl_repeatcpy): Use the same type for "count" as our sole +callers in pp.c: IV (long), not I32 (int). Otherwise, passing +the wider value to a narrower "I32 count" + + http://thread.gmane.org/gmane.comp.lang.perl.perl5.porters/96812 + https://rt.perl.org/rt3/Ticket/Display.html?id=94560 + +Original author: Jim Meyering +Petr Pisar: Modify embed.fnc instead of generated proto.h +--- + embed.fnc | 2 +- + util.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/embed.fnc b/embed.fnc +index bce167e..8c86a3e 100644 +--- a/embed.fnc ++++ b/embed.fnc +@@ -1032,7 +1032,7 @@ EXp |SV*|reg_qr_package|NN REGEXP * const rx + + : FIXME - why the E? + Ep |void |regprop |NULLOK const regexp *prog|NN SV* sv|NN const regnode* o +-Anp |void |repeatcpy |NN char* to|NN const char* from|I32 len|I32 count ++Anp |void |repeatcpy |NN char* to|NN const char* from|I32 len|IV count + AnpP |char* |rninstr |NN const char* big|NN const char* bigend \ + |NN const char* little|NN const char* lend + Ap |Sighandler_t|rsignal |int i|Sighandler_t t +diff --git a/util.c b/util.c +index 0ea39c6..3d4dcc7 100644 +--- a/util.c ++++ b/util.c +@@ -3315,7 +3315,7 @@ Perl_my_pclose(pTHX_ PerlIO *ptr) + + #define PERL_REPEATCPY_LINEAR 4 + void +-Perl_repeatcpy(register char *to, register const char *from, I32 len, register I32 count) ++Perl_repeatcpy(register char *to, register const char *from, I32 len, register IV count) + { + PERL_ARGS_ASSERT_REPEATCPY; + +@@ -3323,19 +3323,19 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I + memset(to, *from, count); + else if (count) { + register char *p = to; +- I32 items, linear, half; ++ IV items, linear, half; + + linear = count < PERL_REPEATCPY_LINEAR ? count : PERL_REPEATCPY_LINEAR; + for (items = 0; items < linear; ++items) { + register const char *q = from; +- I32 todo; ++ IV todo; + for (todo = len; todo > 0; todo--) + *p++ = *q++; + } + + half = count / 2; + while (items <= half) { +- I32 size = items * len; ++ IV size = items * len; + memcpy(p, to, size); + p += size; + items *= 2; +-- +1.7.6.4 + diff --git a/perl.spec b/perl.spec index b9371bb..ef473ac 100644 --- a/perl.spec +++ b/perl.spec @@ -71,6 +71,10 @@ Patch8: perl-5.14.1-offtest.patch # Fix code injection in Digest, rhbz #743010, RT#71390, fixed in Digest-1.17. Patch9: perl-5.14.2-digest_eval.patch +# Change Perl_repeatcpy() prototype to allow repeat count above 2^31 +# rhbz #720610, Perl RT#94560 +Patch10: perl-5.14.2-large-repeat-heap-abuse.patch + # Update some of the bundled modules # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions @@ -1165,6 +1169,7 @@ tarball from perl.org. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 #copy the example script cp -a %{SOURCE5} . @@ -1227,6 +1232,9 @@ echo "RPM Build arch: %{_arch}" %global perl_vendorlib %{privlib}/vendor_perl %global perl_vendorarch %{archlib}/vendor_perl +# For perl-5.14.2-large-repeat-heap-abuse.patch +perl regen.pl -v + /bin/sh Configure -des -Doptimize="$RPM_OPT_FLAGS" \ -Dccdlflags="-Wl,--enable-new-dtags" \ -DDEBUGGING=-g \ @@ -1360,6 +1368,7 @@ pushd %{build_archlib}/CORE/ 'Fedora Patch6: Skip hostname tests, due to builders not being network capable' \ 'Fedora Patch7: Dont run one io test due to random builder failures' \ 'Fedora Patch9: Fix code injection in Digest->new()' \ + 'Fedora Patch10: Change Perl_repeatcpy() to allow count above 2^31' \ %{nil} rm patchlevel.bak @@ -2290,6 +2299,8 @@ sed \ * Thu Oct 06 2011 Petr Pisar - 4:5.14.2-196 - Filter false perl(DynaLoader) provide from perl-ExtUtils-MakeMaker (bug #736714) +- Change Perl_repeatcpy() prototype to allow repeat count above 2^31 + (bug #720610) * Tue Oct 04 2011 Petr Pisar - 4:5.14.2-195 - Fix CVE-2011-3597 (code injection in Digest) (bug #743010)