66 lines
2.0 KiB
Diff
66 lines
2.0 KiB
Diff
From cd6b0f4e030d55ff077e9bc8fbcf156ab79dceb1 Mon Sep 17 00:00:00 2001
|
|
From: Tony Cook <tony@develop-help.com>
|
|
Date: Wed, 7 Sep 2016 16:51:39 +1000
|
|
Subject: [PATCH] (perl #129149) avoid a heap buffer overflow with pack "W"...
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Petr Písař: Ported to 5.24.4:
|
|
|
|
From bf4a926a29374161655548b149d1cb37300bcc05 Mon Sep 17 00:00:00 2001
|
|
From: Tony Cook <tony@develop-help.com>
|
|
Date: Wed, 7 Sep 2016 16:51:39 +1000
|
|
Subject: [PATCH] (perl #129149) avoid a heap buffer overflow with pack "W"...
|
|
|
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
---
|
|
pp_pack.c | 2 +-
|
|
t/op/pack.t | 13 ++++++++++++-
|
|
2 files changed, 13 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/pp_pack.c b/pp_pack.c
|
|
index c0de5ab..29fdb01 100644
|
|
--- a/pp_pack.c
|
|
+++ b/pp_pack.c
|
|
@@ -2598,7 +2598,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist )
|
|
if (in_bytes) auv = auv % 0x100;
|
|
if (utf8) {
|
|
W_utf8:
|
|
- if (cur > end) {
|
|
+ if (cur >= end) {
|
|
*cur = '\0';
|
|
SvCUR_set(cat, cur - start);
|
|
|
|
diff --git a/t/op/pack.t b/t/op/pack.t
|
|
index a480c3a..cf5ae78 100644
|
|
--- a/t/op/pack.t
|
|
+++ b/t/op/pack.t
|
|
@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
|
|
my $no_signedness = $] > 5.009 ? '' :
|
|
"Signed/unsigned pack modifiers not available on this perl";
|
|
|
|
-plan tests => 14716;
|
|
+plan tests => 14717;
|
|
|
|
use strict;
|
|
use warnings qw(FATAL all);
|
|
@@ -2066,3 +2066,14 @@ SKIP:
|
|
fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 },
|
|
"integer overflow calculating allocation (multiply)");
|
|
}
|
|
+
|
|
+{
|
|
+ # [perl #129149] the code below would write one past the end of the output
|
|
+ # buffer, only detected by ASAN, not by valgrind
|
|
+ $Config{ivsize} >= 8
|
|
+ or skip "[perl #129149] need 64-bit for this test", 1;
|
|
+ fresh_perl_is(<<'EOS', "ok\n", { stderr => 1 }, "pack W overflow");
|
|
+print pack("ucW", "0000", 0, 140737488355327) eq "\$,#`P,```\n\0\x{7fffffffffff}"
|
|
+ ? "ok\n" : "not ok\n";
|
|
+EOS
|
|
+}
|
|
--
|
|
2.14.3
|
|
|