Change Perl_repeatcpy() prototype to allow repeat count above 2^31

This commit is contained in:
Petr Písař 2011-10-06 17:43:19 +02:00
parent 585e8123ab
commit f757a4d014
2 changed files with 87 additions and 0 deletions

View File

@ -0,0 +1,76 @@
From 647b6565b7d935eb9b92e057d0c7ae5fe54726e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 6 Oct 2011 16:35:49 +0200
Subject: [PATCH] Don't segfault given string repeat count larger than 2^31
E.g., this overflows INT_MAX and overruns heap memory:
$ perl -le 'print "v"x(2**31+1)'
[Exit 139 (SEGV)]
(Perl_repeatcpy): Use the same type for "count" as our sole
callers in pp.c: IV (long), not I32 (int). Otherwise, passing
the wider value to a narrower "I32 count"
http://thread.gmane.org/gmane.comp.lang.perl.perl5.porters/96812
https://rt.perl.org/rt3/Ticket/Display.html?id=94560
Original author: Jim Meyering <meyering@redhat.com>
Petr Pisar: Modify embed.fnc instead of generated proto.h
---
embed.fnc | 2 +-
util.c | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/embed.fnc b/embed.fnc
index bce167e..8c86a3e 100644
--- a/embed.fnc
+++ b/embed.fnc
@@ -1032,7 +1032,7 @@ EXp |SV*|reg_qr_package|NN REGEXP * const rx
: FIXME - why the E?
Ep |void |regprop |NULLOK const regexp *prog|NN SV* sv|NN const regnode* o
-Anp |void |repeatcpy |NN char* to|NN const char* from|I32 len|I32 count
+Anp |void |repeatcpy |NN char* to|NN const char* from|I32 len|IV count
AnpP |char* |rninstr |NN const char* big|NN const char* bigend \
|NN const char* little|NN const char* lend
Ap |Sighandler_t|rsignal |int i|Sighandler_t t
diff --git a/util.c b/util.c
index 0ea39c6..3d4dcc7 100644
--- a/util.c
+++ b/util.c
@@ -3315,7 +3315,7 @@ Perl_my_pclose(pTHX_ PerlIO *ptr)
#define PERL_REPEATCPY_LINEAR 4
void
-Perl_repeatcpy(register char *to, register const char *from, I32 len, register I32 count)
+Perl_repeatcpy(register char *to, register const char *from, I32 len, register IV count)
{
PERL_ARGS_ASSERT_REPEATCPY;
@@ -3323,19 +3323,19 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I
memset(to, *from, count);
else if (count) {
register char *p = to;
- I32 items, linear, half;
+ IV items, linear, half;
linear = count < PERL_REPEATCPY_LINEAR ? count : PERL_REPEATCPY_LINEAR;
for (items = 0; items < linear; ++items) {
register const char *q = from;
- I32 todo;
+ IV todo;
for (todo = len; todo > 0; todo--)
*p++ = *q++;
}
half = count / 2;
while (items <= half) {
- I32 size = items * len;
+ IV size = items * len;
memcpy(p, to, size);
p += size;
items *= 2;
--
1.7.6.4

View File

@ -71,6 +71,10 @@ Patch8: perl-5.14.1-offtest.patch
# Fix code injection in Digest, rhbz #743010, RT#71390, fixed in Digest-1.17. # Fix code injection in Digest, rhbz #743010, RT#71390, fixed in Digest-1.17.
Patch9: perl-5.14.2-digest_eval.patch Patch9: perl-5.14.2-digest_eval.patch
# Change Perl_repeatcpy() prototype to allow repeat count above 2^31
# rhbz #720610, Perl RT#94560
Patch10: perl-5.14.2-large-repeat-heap-abuse.patch
# Update some of the bundled modules # Update some of the bundled modules
# see http://fedoraproject.org/wiki/Perl/perl.spec for instructions # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
@ -1165,6 +1169,7 @@ tarball from perl.org.
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1
#copy the example script #copy the example script
cp -a %{SOURCE5} . cp -a %{SOURCE5} .
@ -1227,6 +1232,9 @@ echo "RPM Build arch: %{_arch}"
%global perl_vendorlib %{privlib}/vendor_perl %global perl_vendorlib %{privlib}/vendor_perl
%global perl_vendorarch %{archlib}/vendor_perl %global perl_vendorarch %{archlib}/vendor_perl
# For perl-5.14.2-large-repeat-heap-abuse.patch
perl regen.pl -v
/bin/sh Configure -des -Doptimize="$RPM_OPT_FLAGS" \ /bin/sh Configure -des -Doptimize="$RPM_OPT_FLAGS" \
-Dccdlflags="-Wl,--enable-new-dtags" \ -Dccdlflags="-Wl,--enable-new-dtags" \
-DDEBUGGING=-g \ -DDEBUGGING=-g \
@ -1360,6 +1368,7 @@ pushd %{build_archlib}/CORE/
'Fedora Patch6: Skip hostname tests, due to builders not being network capable' \ 'Fedora Patch6: Skip hostname tests, due to builders not being network capable' \
'Fedora Patch7: Dont run one io test due to random builder failures' \ 'Fedora Patch7: Dont run one io test due to random builder failures' \
'Fedora Patch9: Fix code injection in Digest->new()' \ 'Fedora Patch9: Fix code injection in Digest->new()' \
'Fedora Patch10: Change Perl_repeatcpy() to allow count above 2^31' \
%{nil} %{nil}
rm patchlevel.bak rm patchlevel.bak
@ -2290,6 +2299,8 @@ sed \
* Thu Oct 06 2011 Petr Pisar <ppisar@redhat.com> - 4:5.14.2-196 * Thu Oct 06 2011 Petr Pisar <ppisar@redhat.com> - 4:5.14.2-196
- Filter false perl(DynaLoader) provide from perl-ExtUtils-MakeMaker - Filter false perl(DynaLoader) provide from perl-ExtUtils-MakeMaker
(bug #736714) (bug #736714)
- Change Perl_repeatcpy() prototype to allow repeat count above 2^31
(bug #720610)
* Tue Oct 04 2011 Petr Pisar <ppisar@redhat.com> - 4:5.14.2-195 * Tue Oct 04 2011 Petr Pisar <ppisar@redhat.com> - 4:5.14.2-195
- Fix CVE-2011-3597 (code injection in Digest) (bug #743010) - Fix CVE-2011-3597 (code injection in Digest) (bug #743010)