From 5888bbf500cec47a00b4d2bfe9ebb218810471da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> Date: Wed, 8 Mar 2017 12:41:54 +0100 Subject: Fix an invalid memory read when parsing a loop variable
--- ...-update-pointer-into-PL_linestr-after-loo.patch | 50 +++++++++++++++ perl-5.25.10-fix-VMS-test-fail.patch | 44 +++++++++++++ ...-Add-testcase-and-new-testfile-t-comp-par.patch | 55 ++++++++++++++++ ...-5.25.2-t-test.pl-Add-fresh_perl-function.patch | 74 ++++++++++++++++++++++ perl.spec | 16 +++++ 5 files changed, 239 insertions(+) create mode 100644 perl-5.24.1-perl-130814-update-pointer-into-PL_linestr-after-loo.patch create mode 100644 perl-5.25.10-fix-VMS-test-fail.patch create mode 100644 perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch create mode 100644 perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch diff --git a/perl-5.24.1-perl-130814-update-pointer-into-PL_linestr-after-loo.patch b/perl-5.24.1-perl-130814-update-pointer-into-PL_linestr-after-loo.patch new file mode 100644 index 0000000..6a6df7f --- /dev/null +++ b/perl-5.24.1-perl-130814-update-pointer-into-PL_linestr-after-loo.patch @@ -0,0 +1,50 @@ +From 9df34f9c4701104a366e768237ca694411136d2a Mon Sep 17 00:00:00 2001 +From: Hugo van der Sanden <h...@crypt.org> +Date: Sun, 19 Feb 2017 10:46:09 +0000 +Subject: [PATCH] update pointer into PL_linestr after lookahead +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported to: 5.24.1: + +commit 90f2cc9a600117a49f8ee3e30cc681f062350c24 +Author: Hugo van der Sanden <h...@crypt.org> +Date: Sun Feb 19 10:46:09 2017 +0000 + + [perl #130814] update pointer into PL_linestr after lookahead + + Looking ahead for the "Missing $ on loop variable" diagnostic can reallocate + PL_linestr, invalidating our pointer. Save the offset so we can update it + in that case. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + toke.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/toke.c b/toke.c +index 630fc59..029d2ea 100644 +--- a/toke.c ++++ b/toke.c +@@ -7565,6 +7565,7 @@ Perl_yylex(pTHX) + s = skipspace(s); + if (PL_expect == XSTATE && isIDFIRST_lazy_if(s,UTF)) { + char *p = s; ++ SSize_t s_off = s - SvPVX(PL_linestr); + + if ((PL_bufend - p) >= 3 + && strnEQ(p, "my", 2) && isSPACE(*(p + 2))) +@@ -7582,6 +7583,9 @@ Perl_yylex(pTHX) + } + if (*p != '$') + Perl_croak(aTHX_ "Missing $ on loop variable"); ++ ++ /* The buffer may have been reallocated, update s */ ++ s = SvPVX(PL_linestr) + s_off; + } + OPERATOR(FOR); + +-- +2.7.4 + diff --git a/perl-5.25.10-fix-VMS-test-fail.patch b/perl-5.25.10-fix-VMS-test-fail.patch new file mode 100644 index 0000000..38cc190 --- /dev/null +++ b/perl-5.25.10-fix-VMS-test-fail.patch @@ -0,0 +1,44 @@ +From bce4a2abeb8652d19e97d3bf07dd2580a3cc2e6c Mon Sep 17 00:00:00 2001 +From: Hugo van der Sanden <h...@crypt.org> +Date: Sat, 25 Feb 2017 10:42:17 +0000 +Subject: [PATCH] fix VMS test fail +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +d7186add added a runperl() test that breaks command line length limits for +VMS. Switch to fresh_perl() instead, so the prog is put in a file for us. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + t/comp/parser_run.t | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t +index 2543f49..e74644d 100644 +--- a/t/comp/parser_run.t ++++ b/t/comp/parser_run.t +@@ -14,14 +14,14 @@ plan(1); + + # [perl #130814] can reallocate lineptr while looking ahead for + # "Missing $ on loop variable" diagnostic. +-my $result = runperl( +- prog => " foreach m0\n\$" . ("0" x 0x2000), +- stderr => 1, ++my $result = fresh_perl( ++ " foreach m0\n\$" . ("0" x 0x2000), ++ { stderr => 1 }, + ); +-is($result, <<EXPECT); +-syntax error at -e line 3, near "foreach m0 ++is($result . "\n", <<EXPECT); ++syntax error at - line 3, near "foreach m0 + " +-Identifier too long at -e line 3. ++Identifier too long at - line 3. + EXPECT + + __END__ +-- +2.7.4 + diff --git a/perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch b/perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch new file mode 100644 index 0000000..570df14 --- /dev/null +++ b/perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch @@ -0,0 +1,55 @@ +From d7186addd1b477f6bdcef5e9d24f2125691a9082 Mon Sep 17 00:00:00 2001 +From: Hugo van der Sanden <h...@crypt.org> +Date: Sun, 19 Feb 2017 11:15:38 +0000 +Subject: [PATCH] [perl #130814] Add testcase, and new testfile + t/comp/parser_run.t +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Sometimes it's useful to have test.pl around, but it seems inappropriate +to pollute the existing t/comp/parser.t with that. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + t/comp/parser_run.t | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + create mode 100644 t/comp/parser_run.t + +diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t +new file mode 100644 +index 0000000..2543f49 +--- /dev/null ++++ b/t/comp/parser_run.t +@@ -0,0 +1,28 @@ ++#!./perl ++ ++# Parser tests that want test.pl, eg to use runperl() for tests to show ++# reads through invalid pointers. ++# Note that this should still be runnable under miniperl. ++ ++BEGIN { ++ @INC = qw(. ../lib ); ++ chdir 't' if -d 't'; ++} ++ ++require './test.pl'; ++plan(1); ++ ++# [perl #130814] can reallocate lineptr while looking ahead for ++# "Missing $ on loop variable" diagnostic. ++my $result = runperl( ++ prog => " foreach m0\n\$" . ("0" x 0x2000), ++ stderr => 1, ++); ++is($result, <<EXPECT); ++syntax error at -e line 3, near "foreach m0 ++" ++Identifier too long at -e line 3. ++EXPECT ++ ++__END__ ++# ex: set ts=8 sts=4 sw=4 et: +-- +2.7.4 + diff --git a/perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch b/perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch new file mode 100644 index 0000000..24d7f60 --- /dev/null +++ b/perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch @@ -0,0 +1,74 @@ +From f6203e997f3012b8aab4cd35fe49f58e4d71fb8c Mon Sep 17 00:00:00 2001 +From: Karl Williamson <k...@cpan.org> +Date: Sun, 10 Jul 2016 22:06:12 -0600 +Subject: [PATCH] t/test.pl: Add fresh_perl() function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This will be useful for cases where the results don't readily fall into +fresh_perl_is and fresh_perl_like, such as when a bunch of massaging of +the results is needed before it is convenient to test them. +fresh_perl_like() could be used, but in the case of failure there could +be lines and lines of noise output. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + t/test.pl | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +diff --git a/t/test.pl b/t/test.pl +index 41b77f4..20d08e9 100644 +--- a/t/test.pl ++++ b/t/test.pl +@@ -953,11 +953,16 @@ sub register_tempfile { + return $count; + } + +-# This is the temporary file for _fresh_perl ++# This is the temporary file for fresh_perl + my $tmpfile = tempfile(); + +-sub _fresh_perl { +- my($prog, $action, $expect, $runperl_args, $name) = @_; ++sub fresh_perl { ++ my($prog, $runperl_args) = @_; ++ ++ # Run 'runperl' with the complete perl program contained in '$prog', and ++ # arguments in the hash referred to by '$runperl_args'. The results are ++ # returned, with $? set to the exit code. Unless overridden, stderr is ++ # redirected to stdout. + + # Given the choice of the mis-parsable {} + # (we want an anon hash, but a borked lexer might think that it's a block) +@@ -975,7 +980,8 @@ sub _fresh_perl { + close TEST or die "Cannot close $tmpfile: $!"; + + my $results = runperl(%$runperl_args); +- my $status = $?; ++ my $status = $?; # Not necessary to save this, but it makes it clear to ++ # future maintainers. + + # Clean up the results into something a bit more predictable. + $results =~ s/\n+$//; +@@ -994,6 +1000,17 @@ sub _fresh_perl { + $results =~ s/\n\n/\n/g; + } + ++ $? = $status; ++ return $results; ++} ++ ++ ++sub _fresh_perl { ++ my($prog, $action, $expect, $runperl_args, $name) = @_; ++ ++ my $results = fresh_perl($prog, $runperl_args); ++ my $status = $?; ++ + # Use the first line of the program as a name if none was given + unless( $name ) { + ($first_line, $name) = $prog =~ /^((.{1,50}).*)/; +-- +2.7.4 + diff --git a/perl.spec b/perl.spec index e278ddc..fe1407d 100644 --- a/perl.spec +++ b/perl.spec @@ -307,6 +307,16 @@ Patch86: perl-5.24.1-perl-129340-copy-the-source-when-inside-the-dest-in- # in upstream after 5.25.10 Patch87: perl-5.24.1-perl-130822-fix-an-AV-leak-in-Perl_reg_named_buff_fe.patch +# Fix an invalid memory read when parsing a loop variable, RT#130814, +# in upstream after 5.25.10 +Patch88: perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch +# in upstream after 5.25.10 +Patch89: perl-5.24.1-perl-130814-update-pointer-into-PL_linestr-after-loo.patch +# in upstream after 5.25.2 +Patch90: perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch +# in upstream after 5.25.10 +Patch91: perl-5.25.10-fix-VMS-test-fail.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -3017,6 +3027,10 @@ Perl extension for Version Objects %patch85 -p1 %patch86 -p1 %patch87 -p1 +%patch88 -p1 +%patch89 -p1 +%patch90 -p1 +%patch91 -p1 %patch200 -p1 %patch201 -p1 @@ -3089,6 +3103,7 @@ perl -x patchlevel.h \ 'Fedora Patch85: Fix a null-pointer dereference on malformed code (RT#130815)' \ 'Fedora Patch86: Fix an use-after-free in substr() that modifies a magic variable (RT#129340)' \ 'Fedora Patch87: Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)' \ + 'Fedora Patch88: Fix an invalid memory read when parsing a loop variable (RT#130814)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5371,6 +5386,7 @@ popd - Fix a null-pointer dereference on malformed code (RT#130815) - Fix an use-after-free in substr() that modifies a magic variable (RT#129340) - Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822) +- Fix an invalid memory read when parsing a loop variable (RT#130814) * Fri Feb 17 2017 Petr Pisar <ppi...@redhat.com> - 4:5.24.1-384 - Fix a crash when compiling a regexp with impossible quantifiers (RT#130561) -- cgit v1.1 https://src.fedoraproject.org/cgit/perl.git/commit/?h=f25&id=5888bbf500cec47a00b4d2bfe9ebb218810471da _______________________________________________ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org