From 2b7345253277a43a11c48fe16f008b51c2d1a074 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> Date: Fri, 10 Feb 2017 11:13:47 +0100 Subject: Fix a buffer overrun with format and "use bytes"
--- ...-buffer-overrun-with-format-and-use-bytes.patch | 93 ++++++++++++++++++++++ perl.spec | 7 ++ 2 files changed, 100 insertions(+) create mode 100644 perl-5.24.1-buffer-overrun-with-format-and-use-bytes.patch diff --git a/perl-5.24.1-buffer-overrun-with-format-and-use-bytes.patch b/perl-5.24.1-buffer-overrun-with-format-and-use-bytes.patch new file mode 100644 index 0000000..8e9d245 --- /dev/null +++ b/perl-5.24.1-buffer-overrun-with-format-and-use-bytes.patch @@ -0,0 +1,93 @@ +From fd25d49cae6409a4ce901fd4d899a197541604b3 Mon Sep 17 00:00:00 2001 +From: David Mitchell <[email protected]> +Date: Sat, 4 Feb 2017 15:10:49 +0000 +Subject: [PATCH] buffer overrun with format and 'use bytes' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported to 5.24.1: + +commit e452bf1c9e9f30813b1f289188a6e8b0894575ba +Author: David Mitchell <[email protected]> +Date: Sat Feb 4 15:10:49 2017 +0000 + + buffer overrun with format and 'use bytes' + + RT #130703 + + In the scope of 'use bytes', appending a string to a format where the + format is utf8 and the string is non-utf8 but contains lots of chars + with ords >= 128, the buffer could be overrun. This is due to all the + \x80-type chars going from being stored as 1 bytes to 2 bytes, without + growing PL_formtarget accordingly. + + This commit contains a minimal fix; the next commit will more generally + tidy up the grow code in pp_formline. + +Signed-off-by: Petr Písař <[email protected]> +--- + pp_ctl.c | 3 +++ + t/op/write.t | 18 +++++++++++++++++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/pp_ctl.c b/pp_ctl.c +index a1fc2f4..4d5ef2e 100644 +--- a/pp_ctl.c ++++ b/pp_ctl.c +@@ -505,6 +505,8 @@ PP(pp_formline) + SvTAINTED_on(PL_formtarget); + if (DO_UTF8(PL_formtarget)) + targ_is_utf8 = TRUE; ++ /* this is an initial estimate of how much output buffer space ++ * to allocate. It may be exceeded later */ + linemax = (SvCUR(formsv) * (IN_BYTES ? 1 : 3) + 1); + t = SvGROW(PL_formtarget, len + linemax + 1); + /* XXX from now onwards, SvCUR(PL_formtarget) is invalid */ +@@ -766,6 +768,7 @@ PP(pp_formline) + + if (targ_is_utf8 && !item_is_utf8) { + source = tmp = bytes_to_utf8(source, &to_copy); ++ grow = to_copy; + } else { + if (item_is_utf8 && !targ_is_utf8) { + U8 *s; +diff --git a/t/op/write.t b/t/op/write.t +index ab2733f..ae4ddb5 100644 +--- a/t/op/write.t ++++ b/t/op/write.t +@@ -98,7 +98,7 @@ for my $tref ( @NumTests ){ + my $bas_tests = 21; + + # number of tests in section 3 +-my $bug_tests = 66 + 3 * 3 * 5 * 2 * 3 + 2 + 66 + 6 + 2 + 3 + 96 + 11 + 3; ++my $bug_tests = 66 + 3 * 3 * 5 * 2 * 3 + 2 + 66 + 6 + 2 + 3 + 96 + 11 + 4; + + # number of tests in section 4 + my $hmb_tests = 37; +@@ -1562,6 +1562,22 @@ ok defined *{$::{CmT}}{FORMAT}, "glob assign"; + formline $format, $orig, 12345; + is $^A, ("x" x 100) . " 12345\n", "\@* doesn't overflow"; + ++ # ...nor this (RT #130703). ++ # Under 'use bytes', the two bytes (c2, 80) making up each \x80 char ++ # each get expanded to two bytes (so four in total per \x80 char); the ++ # buffer growth wasn't accounting for this doubling in size ++ ++ { ++ local $^A = ''; ++ my $format = "X\n\x{100}" . ("\x80" x 200); ++ my $expected = $format; ++ utf8::encode($expected); ++ use bytes; ++ formline($format); ++ is $^A, $expected, "RT #130703"; ++ } ++ ++ + # make sure it can cope with formats > 64k + + $format = 'x' x 65537; +-- +2.7.4 + diff --git a/perl.spec b/perl.spec index 140973a..30bf449 100644 --- a/perl.spec +++ b/perl.spec @@ -194,6 +194,10 @@ Patch64: perl-5.22.3-fix-RT-130561-recursion-and-optimising-away-impossib Patch65: perl-5.22.3-only-mess-with-NEXT_OFF-when-we-are-in-PASS2.patch Patch66: perl-5.25.9-silence-warnings-from-tests-about-impossible-quantif.patch +# Fix a buffer overrun with format and "use bytes", RT#130703, +# in upstream after 5.25.9 +Patch67: perl-5.24.1-buffer-overrun-with-format-and-use-bytes.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2502,6 +2506,7 @@ Perl extension for Version Objects %patch64 -p1 %patch65 -p1 %patch66 -p1 +%patch67 -p1 %patch200 -p1 %patch201 -p1 @@ -2554,6 +2559,7 @@ perl -x patchlevel.h \ 'Fedora Patch62: Fix parsing goto statements in multicalled subroutine (RT#113938)' \ 'Fedora Patch63: Fix a heap overlow in parsing $# (RT#129274)' \ 'Fedora Patch64: Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)' \ + 'Fedora Patch67: Fix a buffer overrun with format and "use bytes" (RT#130703)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -4808,6 +4814,7 @@ popd %changelog * Fri Feb 17 2017 Petr Pisar <[email protected]> - 4:5.22.3-369 - Fix a crash when compiling a regexp with impossible quantifiers (RT#130561) +- Fix a buffer overrun with format and "use bytes" (RT#130703) * Thu Jan 26 2017 Petr Pisar <[email protected]> - 4:5.22.3-368 - Fix UTF-8 string handling in & operator (RT#129287) -- cgit v1.1 https://src.fedoraproject.org/cgit/perl.git/commit/?h=f24&id=2b7345253277a43a11c48fe16f008b51c2d1a074 _______________________________________________ perl-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
