From f7e5d464be66b2023d9ebcd06b963e0896cda78f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 19 Jun 2017 13:45:43 +0200
Subject: [PATCH] Fix a conditional jump on uninitilized memory in
 re_intuit_start()

---
 ...-Perl_fbm_instr-with-negative-length.patch | 116 ++++++++++++++++++
 perl.spec                                     |   9 +-
 2 files changed, 124 insertions(+), 1 deletion(-)
 create mode 100644 perl-5.26.0-don-t-call-Perl_fbm_instr-with-negative-length.patch

diff --git a/perl-5.26.0-don-t-call-Perl_fbm_instr-with-negative-length.patch b/perl-5.26.0-don-t-call-Perl_fbm_instr-with-negative-length.patch
new file mode 100644
index 0000000..672ffbb
--- /dev/null
+++ b/perl-5.26.0-don-t-call-Perl_fbm_instr-with-negative-length.patch
@@ -0,0 +1,116 @@
+From 10e784017784a8c1b1835b04026f8948eb502e50 Mon Sep 17 00:00:00 2001
+From: David Mitchell <davem@iabyn.com>
+Date: Fri, 16 Jun 2017 15:46:19 +0100
+Subject: [PATCH] don't call Perl_fbm_instr() with negative length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported to 5.26.0:
+
+commit bb152a4b442f7718fd37d32cc558be675e8ae1ae
+Author: David Mitchell <davem@iabyn.com>
+Date:   Fri Jun 16 15:46:19 2017 +0100
+
+    don't call Perl_fbm_instr() with negative length
+
+    RT #131575
+
+    re_intuit_start() could calculate a maximum end position less than the
+    current start position. This used to get rejected by fbm_intr(), until
+    v5.23.3-110-g147f21b, which made fbm_intr() faster and removed unnecessary
+    checks.
+
+    This commits fixes re_intuit_start(), and adds an assert to  fbm_intr().
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ regexec.c  | 17 +++++++++++------
+ t/re/pat.t | 13 ++++++++++++-
+ util.c     |  2 ++
+ 3 files changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/regexec.c b/regexec.c
+index 35b88d7..4e82bc2 100644
+--- a/regexec.c
++++ b/regexec.c
+@@ -126,13 +126,16 @@ static const char* const non_utf8_target_but_utf8_required
+                     (U8*)(off >= 0 ? reginfo->strend : reginfo->strbeg)) \
+ 	    : (U8*)(pos + off))
+ 
+-#define HOPBACKc(pos, off) \
+-	(char*)(reginfo->is_utf8_target \
+-	    ? reghopmaybe3((U8*)pos, (SSize_t)0-off, (U8*)(reginfo->strbeg)) \
+-	    : (pos - off >= reginfo->strbeg)	\
+-		? (U8*)pos - off		\
++/* like HOPMAYBE3 but backwards. lim must be +ve. Returns NULL on overshoot */
++#define HOPBACK3(pos, off, lim) \
++	(reginfo->is_utf8_target                          \
++	    ? reghopmaybe3((U8*)pos, (SSize_t)0-off, (U8*)(lim)) \
++	    : (pos - off >= lim)	                         \
++		? (U8*)pos - off		                 \
+ 		: NULL)
+ 
++#define HOPBACKc(pos, off) ((char*)HOPBACK3(pos, off, reginfo->strbeg))
++
+ #define HOP3(pos,off,lim) (reginfo->is_utf8_target  ? reghop3((U8*)(pos), off, (U8*)(lim)) : (U8*)(pos + off))
+ #define HOP3c(pos,off,lim) ((char*)HOP3(pos,off,lim))
+ 
+@@ -884,7 +887,9 @@ Perl_re_intuit_start(pTHX_
+                 (IV)prog->check_end_shift);
+         });
+         
+-        end_point = HOP3(strend, -end_shift, strbeg);
++        end_point = HOPBACK3(strend, end_shift, rx_origin);
++        if (!end_point)
++            goto fail_finish;
+         start_point = HOPMAYBE3(rx_origin, start_shift, end_point);
+         if (!start_point)
+             goto fail_finish;
+diff --git a/t/re/pat.t b/t/re/pat.t
+index 16bfc8e..2510eab 100644
+--- a/t/re/pat.t
++++ b/t/re/pat.t
+@@ -23,7 +23,7 @@ BEGIN {
+     skip_all('no re module') unless defined &DynaLoader::boot_DynaLoader;
+     skip_all_without_unicode_tables();
+ 
+-plan tests => 837;  # Update this when adding/deleting tests.
++plan tests => 838;  # Update this when adding/deleting tests.
+ 
+ run_tests() unless caller;
+ 
+@@ -1911,6 +1911,17 @@ EOP
+         # [perl #129281] buffer write overflow, detected by ASAN, valgrind
+         fresh_perl_is('/0(?0)|^*0(?0)|^*(^*())0|/', '', {}, "don't bump whilem_c too much");
+     }
++
++    {
++        # RT #131575 intuit skipping back from the end to find the highest
++        # possible start point, was potentially hopping back beyond pos()
++        # and crashing by calling fbm_instr with a negative length
++
++        my $text = "=t=\x{5000}";
++        pos($text) = 3;
++        ok(scalar($text !~ m{(~*=[a-z]=)}g), "RT #131575");
++    }
++
+ } # End of sub run_tests
+ 
+ 1;
+diff --git a/util.c b/util.c
+index f1b92a9..69763bc 100644
+--- a/util.c
++++ b/util.c
+@@ -816,6 +816,8 @@ Perl_fbm_instr(pTHX_ unsigned char *big, unsigned char *bigend, SV *littlestr, U
+ 
+     PERL_ARGS_ASSERT_FBM_INSTR;
+ 
++    assert(bigend >= big);
++
+     if ((STRLEN)(bigend - big) < littlelen) {
+ 	if (     tail
+ 	     && ((STRLEN)(bigend - big) == littlelen - 1)
+-- 
+2.9.4
+
diff --git a/perl.spec b/perl.spec
index 4528650..8938e4c 100644
--- a/perl.spec
+++ b/perl.spec
@@ -165,6 +165,10 @@ Patch37:        perl-5.27.0-perl-131526-don-t-go-beyond-the-end-of-the-NUL-in-my
 # "perl -S", RT#129183, in upstream after 5.27.0
 Patch38:        perl-5.27.0-perl-129183-don-t-treat-as-an-escape-in-PATH-for-S.patch
 
+# Fix a conditional jump on uninitilized memory in re_intuit_start(),
+# RT#131575, in upstream after 5.27.0
+Patch39:        perl-5.26.0-don-t-call-Perl_fbm_instr-with-negative-length.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -2821,6 +2825,7 @@ Perl extension for Version Objects
 %patch36 -p1
 %patch37 -p1
 %patch38 -p1
+%patch39 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -2848,6 +2853,7 @@ perl -x patchlevel.h \
     'Fedora Patch36: Fix glob UTF-8 flag on a glob reassignment (RT#131263)' \
     'Fedora Patch37: Fix a buffer overflow in my_atof2() (RT#131526)' \
     'Fedora Patch38: Fix handling backslashes in PATH environment variable when executing "perl -S" (RT#129183)' \
+    'Fedora Patch39: Fix a conditional jump on uninitilized memory in re_intuit_start() (RT#131575)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -5130,7 +5136,7 @@ popd
 
 # Old changelog entries are preserved in CVS.
 %changelog
-* Fri Jun 16 2017 Petr Pisar <ppisar@redhat.com> - 4:5.26.0-394
+* Mon Jun 19 2017 Petr Pisar <ppisar@redhat.com> - 4:5.26.0-394
 - Make File::Glob more resistant against degenerative matching (RT#131211)
 - Fix a crash when calling a subroutine from a stash (RT#131085)
 - Fix an improper cast of a negative integer to an unsigned 8-bit type (RT#131190)
@@ -5139,6 +5145,7 @@ popd
 - Fix a buffer overflow in my_atof2() (RT#131526)
 - Fix handling backslashes in PATH environment variable when executing
   "perl -S" (RT#129183)
+- Fix a conditional jump on uninitilized memory in re_intuit_start() (RT#131575)
 
 * Tue Jun 06 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.26.0-393
 - Stop providing old perl(MODULE_COMPAT_5.24.*)