Hello community, here is the log from the commit of package perl-JSON-XS for openSUSE:Factory checked in at 2017-09-04 12:36:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-JSON-XS (Old) and /work/SRC/openSUSE:Factory/.perl-JSON-XS.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-JSON-XS" Mon Sep 4 12:36:33 2017 rev:20 rq:520423 version:3.04 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-JSON-XS/perl-JSON-XS.changes 2016-11-18 22:02:56.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.perl-JSON-XS.new/perl-JSON-XS.changes 2017-09-04 12:36:37.676933521 +0200 @@ -1,0 +2,19 @@ +Fri Aug 18 05:38:04 UTC 2017 - co...@suse.com + +- updated to 3.04 + see /usr/share/doc/packages/perl-JSON-XS/Changes + + TODO: move json_xs to types::serialiser + + 3.04 Thu Aug 17 04:30:47 CEST 2017 + - change exponential realloc algorithm on encoding and string decoding to be + really exponential (this helps slow/debugging allocators such as libumem) + (reported by Matthew Horsfall). + - string encoding would needlessly overallocate output space + (testcase by Matthew Horsfall). + - be very paranoid about extending buffer lengths and croak if buffers get too large, + which might (or might not) improve security. + - add cbor-packed type to json_xs. + - switch from YAML to YAML::XS in json_xs, as YAML is way too buggy and outdated. + +------------------------------------------------------------------- Old: ---- JSON-XS-3.03.tar.gz New: ---- JSON-XS-3.04.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-JSON-XS.spec ++++++ --- /var/tmp/diff_new_pack.WiLovY/_old 2017-09-04 12:36:39.140727578 +0200 +++ /var/tmp/diff_new_pack.WiLovY/_new 2017-09-04 12:36:39.152725890 +0200 @@ -1,7 +1,7 @@ # # spec file for package perl-JSON-XS # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: perl-JSON-XS -Version: 3.03 +Version: 3.04 Release: 0 #Upstream: CHECK(GPL-1.0+ or Artistic-1.0) %define cpan_name JSON-XS @@ -25,7 +25,7 @@ License: Artistic-1.0 or GPL-1.0+ Group: Development/Libraries/Perl Url: http://search.cpan.org/dist/JSON-XS/ -Source0: http://www.cpan.org/authors/id/M/ML/MLEHMANN/%{cpan_name}-%{version}.tar.gz +Source0: https://cpan.metacpan.org/authors/id/M/ML/MLEHMANN/%{cpan_name}-%{version}.tar.gz Source1: cpanspec.yml BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: perl @@ -47,7 +47,7 @@ overridden) with no overhead due to emulation (by inheriting constructor and methods). If JSON::XS is not available, it will fall back to the compatible JSON::PP module as backend, so using JSON instead of JSON::XS -gives you a portable JSON API that can be fast when you need and doesn't +gives you a portable JSON API that can be fast when you need it and doesn't require a C compiler when that is a problem. As this is the n-th-something JSON module on CPAN, what was the reason to @@ -77,6 +77,7 @@ %files -f %{name}.files %defattr(-,root,root,755) -%doc Changes COPYING README +%doc Changes README +%license COPYING %changelog ++++++ JSON-XS-3.03.tar.gz -> JSON-XS-3.04.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.03/Changes new/JSON-XS-3.04/Changes --- old/JSON-XS-3.03/Changes 2016-11-16 20:21:23.000000000 +0100 +++ new/JSON-XS-3.04/Changes 2017-08-17 04:31:27.000000000 +0200 @@ -7,6 +7,18 @@ TODO: investigate magic (Eric Brine) TODO: rfc7464 TODO: Victor Efimov +TODO: move json_xs to types::serialiser + +3.04 Thu Aug 17 04:30:47 CEST 2017 + - change exponential realloc algorithm on encoding and string decoding to be + really exponential (this helps slow/debugging allocators such as libumem) + (reported by Matthew Horsfall). + - string encoding would needlessly overallocate output space + (testcase by Matthew Horsfall). + - be very paranoid about extending buffer lengths and croak if buffers get too large, + which might (or might not) improve security. + - add cbor-packed type to json_xs. + - switch from YAML to YAML::XS in json_xs, as YAML is way too buggy and outdated. 3.03 Wed Nov 16 20:20:59 CET 2016 - fix a bug introduced by a perl bug workaround that would cause diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.03/META.json new/JSON-XS-3.04/META.json --- old/JSON-XS-3.03/META.json 2016-11-16 20:21:42.000000000 +0100 +++ new/JSON-XS-3.04/META.json 2017-08-17 05:47:47.000000000 +0200 @@ -4,7 +4,7 @@ "unknown" ], "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 7.1, CPAN::Meta::Converter version 2.150001", + "generated_by" : "ExtUtils::MakeMaker version 7.3, CPAN::Meta::Converter version 2.150010", "license" : [ "unknown" ], @@ -39,5 +39,6 @@ } }, "release_status" : "stable", - "version" : 3.03 + "version" : 3.04, + "x_serialization_backend" : "JSON::PP version 2.27300" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.03/META.yml new/JSON-XS-3.04/META.yml --- old/JSON-XS-3.03/META.yml 2016-11-16 20:21:42.000000000 +0100 +++ new/JSON-XS-3.04/META.yml 2017-08-17 05:47:47.000000000 +0200 @@ -8,7 +8,7 @@ Canary::Stability: '0' ExtUtils::MakeMaker: '6.52' dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 7.1, CPAN::Meta::Converter version 2.150001' +generated_by: 'ExtUtils::MakeMaker version 7.3, CPAN::Meta::Converter version 2.150010' license: unknown meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html @@ -21,4 +21,5 @@ requires: Types::Serialiser: '0' common::sense: '0' -version: 3.03 +version: 3.04 +x_serialization_backend: 'CPAN::Meta::YAML version 0.012' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.03/README new/JSON-XS-3.04/README --- old/JSON-XS-3.03/README 2016-11-16 20:21:43.000000000 +0100 +++ new/JSON-XS-3.04/README 2017-08-17 05:47:47.000000000 +0200 @@ -38,7 +38,7 @@ constructor and methods). If JSON::XS is not available, it will fall back to the compatible JSON::PP module as backend, so using JSON instead of JSON::XS gives you a portable JSON API that can be fast when you need - and doesn't require a C compiler when that is a problem. + it and doesn't require a C compiler when that is a problem. As this is the n-th-something JSON module on CPAN, what was the reason to write yet another JSON module? While it seems there are many JSON @@ -1565,13 +1565,11 @@ cannot handle non-reference values, in preparation for the day when the default will change. -THREADS - This module is *not* guaranteed to be thread safe and there are no plans - to change this until Perl gets thread support (as opposed to the - horribly slow so-called "threads" which are simply slow and bloated - process simulations - use fork, it's *much* faster, cheaper, better). - - (It might actually work, but you have been warned). +(I-)THREADS + This module is *not* guaranteed to be ithread (or MULTIPLICITY-) safe + and there are no plans to change this. Note that perl's builtin + so-called theeads/ithreads are officially deprecated and should not be + used. THE PERILS OF SETLOCALE Sometimes people avoid the Perl locale support and directly call the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.03/XS.pm new/JSON-XS-3.04/XS.pm --- old/JSON-XS-3.03/XS.pm 2016-11-16 20:21:40.000000000 +0100 +++ new/JSON-XS-3.04/XS.pm 2017-08-17 04:31:35.000000000 +0200 @@ -42,8 +42,8 @@ overridden) with no overhead due to emulation (by inheriting constructor and methods). If JSON::XS is not available, it will fall back to the compatible JSON::PP module as backend, so using JSON instead of JSON::XS -gives you a portable JSON API that can be fast when you need and doesn't -require a C compiler when that is a problem. +gives you a portable JSON API that can be fast when you need it and +doesn't require a C compiler when that is a problem. As this is the n-th-something JSON module on CPAN, what was the reason to write yet another JSON module? While it seems there are many JSON @@ -103,7 +103,7 @@ use common::sense; -our $VERSION = 3.03; +our $VERSION = 3.04; our @ISA = qw(Exporter); our @EXPORT = qw(encode_json decode_json); @@ -1698,14 +1698,11 @@ will change. -=head1 THREADS +=head1 (I-)THREADS -This module is I<not> guaranteed to be thread safe and there are no -plans to change this until Perl gets thread support (as opposed to the -horribly slow so-called "threads" which are simply slow and bloated -process simulations - use fork, it's I<much> faster, cheaper, better). - -(It might actually work, but you have been warned). +This module is I<not> guaranteed to be ithread (or MULTIPLICITY-) safe +and there are no plans to change this. Note that perl's builtin so-called +theeads/ithreads are officially deprecated and should not be used. =head1 THE PERILS OF SETLOCALE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.03/XS.xs new/JSON-XS-3.04/XS.xs --- old/JSON-XS-3.03/XS.xs 2016-11-16 20:16:28.000000000 +0100 +++ new/JSON-XS-3.04/XS.xs 2017-08-17 03:54:33.000000000 +0200 @@ -8,6 +8,7 @@ #include <stdio.h> #include <limits.h> #include <float.h> +#include <inttypes.h> #if defined(__BORLANDC__) || defined(_MSC_VER) # define snprintf _snprintf // C compilers have this in stdio.h @@ -156,6 +157,31 @@ } } +/* adds two STRLENs together, slow, and with paranoia */ +STRLEN +strlen_sum (STRLEN l1, STRLEN l2) +{ + size_t sum = l1 + l2; + + if (sum < (size_t)l2 || sum != (size_t)(STRLEN)sum) + croak ("JSON::XS: string size overflow"); + + return sum; +} + +/* similar to SvGROW, but somewhat safer and guarantees exponential realloc strategy */ +static char * +json_sv_grow (SV *sv, size_t len1, size_t len2) +{ + len1 = strlen_sum (len1, len2); + len1 = strlen_sum (len1, len1 >> 1); + + if (len1 > 4096 - 24) + len1 = (len1 | 4095) - 24; + + return SvGROW (sv, len1); +} + // decode an utf-8 character and return it, or (UV)-1 in // case of an error. // we special-case "safe" characters from U+80 .. U+7FF, @@ -363,12 +389,12 @@ INLINE void need (enc_t *enc, STRLEN len) { - if (expect_false (enc->cur + len >= enc->end)) + if (expect_false ((uintptr_t)(enc->end - enc->cur) < len)) { STRLEN cur = enc->cur - (char *)SvPVX (enc->sv); - SvGROW (enc->sv, cur + (len < (cur >> 2) ? cur >> 2 : len) + 1); - enc->cur = SvPVX (enc->sv) + cur; - enc->end = SvPVX (enc->sv) + SvLEN (enc->sv) - 1; + char *buf = json_sv_grow (enc->sv, cur, len); + enc->cur = buf + cur; + enc->end = buf + SvLEN (enc->sv) - 1; } } @@ -394,13 +420,13 @@ { if (expect_false (ch == '"')) // but with slow exceptions { - need (enc, len += 1); + need (enc, len + 1); *enc->cur++ = '\\'; *enc->cur++ = '"'; } else if (expect_false (ch == '\\')) { - need (enc, len += 1); + need (enc, len + 1); *enc->cur++ = '\\'; *enc->cur++ = '\\'; } @@ -413,11 +439,11 @@ { switch (ch) { - case '\010': need (enc, len += 1); *enc->cur++ = '\\'; *enc->cur++ = 'b'; ++str; break; - case '\011': need (enc, len += 1); *enc->cur++ = '\\'; *enc->cur++ = 't'; ++str; break; - case '\012': need (enc, len += 1); *enc->cur++ = '\\'; *enc->cur++ = 'n'; ++str; break; - case '\014': need (enc, len += 1); *enc->cur++ = '\\'; *enc->cur++ = 'f'; ++str; break; - case '\015': need (enc, len += 1); *enc->cur++ = '\\'; *enc->cur++ = 'r'; ++str; break; + case '\010': need (enc, len + 1); *enc->cur++ = '\\'; *enc->cur++ = 'b'; ++str; break; + case '\011': need (enc, len + 1); *enc->cur++ = '\\'; *enc->cur++ = 't'; ++str; break; + case '\012': need (enc, len + 1); *enc->cur++ = '\\'; *enc->cur++ = 'n'; ++str; break; + case '\014': need (enc, len + 1); *enc->cur++ = '\\'; *enc->cur++ = 'f'; ++str; break; + case '\015': need (enc, len + 1); *enc->cur++ = '\\'; *enc->cur++ = 'r'; ++str; break; default: { @@ -443,7 +469,7 @@ if (uch >= 0x110000UL) croak ("out of range codepoint (0x%lx) encountered, unrepresentable in JSON", (unsigned long)uch); - need (enc, len += 11); + need (enc, len + 11); sprintf (enc->cur, "\\u%04x\\u%04x", (int)((uch - 0x10000) / 0x400 + 0xD800), (int)((uch - 0x10000) % 0x400 + 0xDC00)); @@ -451,7 +477,7 @@ } else { - need (enc, len += 5); + need (enc, len + 5); *enc->cur++ = '\\'; *enc->cur++ = 'u'; *enc->cur++ = PL_hexdigit [ uch >> 12 ]; @@ -469,7 +495,7 @@ } else if (is_utf8) { - need (enc, len += clen); + need (enc, len + clen); do { *enc->cur++ = *str++; @@ -478,7 +504,7 @@ } else { - need (enc, len += UTF8_MAXBYTES - 1); // never more than 11 bytes needed + need (enc, len + UTF8_MAXBYTES - 1); // never more than 11 bytes needed enc->cur = encode_utf8 (enc->cur, uch); ++str; } @@ -1169,8 +1195,8 @@ { STRLEN cur = SvCUR (sv); - if (SvLEN (sv) <= cur + len) - SvGROW (sv, cur + (len < (cur >> 2) ? cur >> 2 : len) + 1); + if (SvLEN (sv) - cur <= len) + json_sv_grow (sv, cur, len); memcpy (SvPVX (sv) + SvCUR (sv), buf, len); SvCUR_set (sv, SvCUR (sv) + len); @@ -2160,8 +2186,8 @@ const char *str = SvPV (jsonstr, len); STRLEN cur = SvCUR (self->incr_text); - if (SvLEN (self->incr_text) <= cur + len) - SvGROW (self->incr_text, cur + (len < (cur >> 2) ? cur >> 2 : len) + 1); + if (SvLEN (self->incr_text) - cur <= len) + json_sv_grow (self->incr_text, cur, len); Move (str, SvEND (self->incr_text), len, char); SvCUR_set (self->incr_text, SvCUR (self->incr_text) + len); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/JSON-XS-3.03/bin/json_xs new/JSON-XS-3.04/bin/json_xs --- old/JSON-XS-3.03/bin/json_xs 2016-09-23 09:44:48.000000000 +0200 +++ new/JSON-XS-3.04/bin/json_xs 2017-07-07 04:31:43.000000000 +0200 @@ -46,7 +46,7 @@ =item eval - evaluate the given code as (non-utf-8) Perl, basically the reverse of "-t dump" -=item yaml - L<YAML> (avoid at all costs, requires the YAML module :) +=item yaml - L<YAML> format (requires that module to be installed) =item string - do not attempt to decode the file data @@ -72,6 +72,8 @@ =item cbor - CBOR (RFC 7049, L<CBOR::XS>), a kind of binary JSON +=item cbor-packed - CBOR using extensions to make it smaller + =item storable - a L<Storable> frozen value in network format =item storable-file - a L<Storable> file in network format (Storable has two incompatible formats) @@ -80,7 +82,7 @@ =item clzf - L<Compress::LZF> format -=item yaml - L<YAML> +=item yaml - L<YAML::XS> format =item dump - L<Data::Dump> @@ -182,7 +184,7 @@ "storable-file" => sub { open my $fh, "<", \$_; Storable::fd_retrieve $fh }, "bencode" => sub { require Convert::Bencode; Convert::Bencode::bdecode ($_) }, "clzf" => sub { require Compress::LZF; Compress::LZF::sthaw ($_) }, - "yaml" => sub { require YAML; YAML::Load ($_) }, + "yaml" => sub { require YAML::XS; YAML::XS::Load ($_) }, "eval" => sub { my $v = eval "no strict; no warnings; no utf8;\n#line 1 \"input\"\n$_"; die "$@" if $@; $v }, ); @@ -197,11 +199,12 @@ "json-utf-32le" => sub { encode "utf-32le", JSON::XS->new->encode ($_) }, "json-utf-32be" => sub { encode "utf-32be", JSON::XS->new->encode ($_) }, "cbor" => sub { require CBOR::XS; CBOR::XS::encode_cbor ($_) }, + "cbor-packed" => sub { require CBOR::XS; CBOR::XS->new->pack_strings->encode ($_) }, "storable" => sub { Storable::nfreeze $_ }, "storable-file" => sub { open my $fh, ">", \my $buf; Storable::nstore_fd $_, $fh; $buf }, "bencode" => sub { require Convert::Bencode; Convert::Bencode::bencode ($_) }, "clzf" => sub { require Compress::LZF; Compress::LZF::sfreeze_cr ($_) }, - "yaml" => sub { require YAML; YAML::Dump ($_) }, + "yaml" => sub { require YAML::XS; YAML::XS::Dump ($_) }, "dumper" => sub { require Data::Dumper; #local $Data::Dumper::Purity = 1; # hopeless case