ppisar pushed to perl (master). "Fix a heap-use-after-free in four-arguments substr call"

Wed, 08 Mar 2017 07:10:47 -0800 

From 7cb6cbb4a7021c514a685b3d5f75da1228ac1c37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Wed, 8 Mar 2017 13:02:24 +0100
Subject: Fix a heap-use-after-free in four-arguments substr call

---
 ...30624-heap-use-after-free-in-4-arg-substr.patch | 70 ++++++++++++++++++++++
 perl.spec                                          |  7 +++
 2 files changed, 77 insertions(+)
 create mode 100644 
perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch

diff --git a/perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch 
b/perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch
new file mode 100644
index 0000000..f018778
--- /dev/null
+++ b/perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch
@@ -0,0 +1,70 @@
+From 4e0fb37303b72ed9d38949139c304abdb73e223e Mon Sep 17 00:00:00 2001
+From: Aaron Crane <a...@cpan.org>
+Date: Tue, 24 Jan 2017 23:39:40 +0000
+Subject: [PATCH] RT#130624: heap-use-after-free in 4-arg substr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported to 5.24.1:
+
+commit 41b1e858a075694f88057b9514f5fc78c80b5355
+Author: Aaron Crane <a...@cpan.org>
+Date:   Tue Jan 24 23:39:40 2017 +0000
+
+    RT#130624: heap-use-after-free in 4-arg substr
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ pp.c          |  4 +++-
+ t/op/substr.t | 14 +++++++++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/pp.c b/pp.c
+index 334b353..aa6cff0 100644
+--- a/pp.c
++++ b/pp.c
+@@ -3462,8 +3462,10 @@ PP(pp_substr)
+       tmps = SvPV_force_nomg(sv, curlen);
+       if (DO_UTF8(repl_sv) && repl_len) {
+           if (!DO_UTF8(sv)) {
++                /* Upgrade the dest, and recalculate tmps in case the buffer
++                 * got reallocated; curlen may also have been changed */
+               sv_utf8_upgrade_nomg(sv);
+-              curlen = SvCUR(sv);
++              tmps = SvPV_nomg(sv, curlen);
+           }
+       }
+       else if (DO_UTF8(sv))
+diff --git a/t/op/substr.t b/t/op/substr.t
+index 01c36a9..f9fee48 100644
+--- a/t/op/substr.t
++++ b/t/op/substr.t
+@@ -22,7 +22,7 @@ $SIG{__WARN__} = sub {
+      }
+ };
+ 
+-plan(389);
++plan(391);
+ 
+ run_tests() unless caller;
+ 
+@@ -872,3 +872,15 @@ is($destroyed, 1, 'Timely scalar destruction with lvalue 
substr');
+ 
+ # failed with ASAN
+ fresh_perl_is('$0 = "/usr/bin/perl"; substr($0, 0, 0, $0)', '', {}, "(perl 
#129340) substr() with source in target");
++
++
++# [perl #130624] - heap-use-after-free, observable under asan
++{
++    my $x = "\xE9zzzz";
++    my $y = "\x{100}";
++    my $z = substr $x, 0, 1, $y;
++    is $z, "\xE9",        "RT#130624: heap-use-after-free in 4-arg substr 
(ret)";
++    is $x, "\x{100}zzzz", "RT#130624: heap-use-after-free in 4-arg substr 
(targ)";
++}
++
++
+-- 
+2.7.4
+
diff --git a/perl.spec b/perl.spec
index 96d3127..e46a4c5 100644
--- a/perl.spec
+++ b/perl.spec
@@ -323,6 +323,10 @@ Patch92:        
perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch
 # in upstream after 5.25.10
 Patch93:        perl-5.25.10-fix-VMS-test-fail.patch
 
+# Fix a heap-use-after-free in four-arguments substr call, RT#130624,
+# in upstream after 5.25.10
+Patch94:        perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       
perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -3042,6 +3046,7 @@ popd
 %patch91 -p1
 %patch92 -p1
 %patch93 -p1
+%patch94 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -3117,6 +3122,7 @@ perl -x patchlevel.h \
     'Fedora Patch88: Fix an use-after-free in substr() that modifies a magic 
variable (RT#129340)' \
     'Fedora Patch89: Fix a memory leak leak in Perl_reg_named_buff_fetch() 
(RT#130822)' \
     'Fedora Patch90: Fix an invalid memory read when parsing a loop variable 
(RT#130814)' \
+    'Fedora Patch94: Fix a heap-use-after-free in four-arguments substr call 
(RT#130624)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on 
Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -5398,6 +5404,7 @@ popd
 - Fix an use-after-free in substr() that modifies a magic variable (RT#129340)
 - Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)
 - Fix an invalid memory read when parsing a loop variable (RT#130814)
+- Fix a heap-use-after-free in four-arguments substr call (RT#130624)
 
 * Fri Feb 17 2017 Petr Pisar <ppi...@redhat.com> - 4:5.24.1-389
 - Adapt Compress::Raw::Zlib to zlib-1.2.11 (bug #1420326)
-- 
cgit v1.1


        
https://src.fedoraproject.org/cgit/perl.git/commit/?h=master&id=7cb6cbb4a7021c514a685b3d5f75da1228ac1c37
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org

Reply via email to