ppisar pushed to perl (f24). "Fix an invalid memory read when parsing a loop variable"

Wed, 08 Mar 2017 09:31:12 -0800 

From 7d019df066f34c6953a40931fe2bb444f681d51c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]>
Date: Wed, 8 Mar 2017 12:41:54 +0100
Subject: Fix an invalid memory read when parsing a loop variable

---
 ...-update-pointer-into-PL_linestr-after-loo.patch | 50 +++++++++++++++
 perl-5.25.10-fix-VMS-test-fail.patch               | 44 +++++++++++++
 ...-Add-testcase-and-new-testfile-t-comp-par.patch | 55 ++++++++++++++++
 ...-5.25.2-t-test.pl-Add-fresh_perl-function.patch | 74 ++++++++++++++++++++++
 perl.spec                                          | 16 +++++
 5 files changed, 239 insertions(+)
 create mode 100644 
perl-5.22.3-perl-130814-update-pointer-into-PL_linestr-after-loo.patch
 create mode 100644 perl-5.25.10-fix-VMS-test-fail.patch
 create mode 100644 
perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch
 create mode 100644 perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch

diff --git 
a/perl-5.22.3-perl-130814-update-pointer-into-PL_linestr-after-loo.patch 
b/perl-5.22.3-perl-130814-update-pointer-into-PL_linestr-after-loo.patch
new file mode 100644
index 0000000..299f69a
--- /dev/null
+++ b/perl-5.22.3-perl-130814-update-pointer-into-PL_linestr-after-loo.patch
@@ -0,0 +1,50 @@
+From 976900025e7327873d86550633c9c9a9200fa73d Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <[email protected]>
+Date: Sun, 19 Feb 2017 10:46:09 +0000
+Subject: [PATCH] update pointer into PL_linestr after lookahead
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported to: 5.22.3:
+
+commit 90f2cc9a600117a49f8ee3e30cc681f062350c24
+Author: Hugo van der Sanden <[email protected]>
+Date:   Sun Feb 19 10:46:09 2017 +0000
+
+    [perl #130814] update pointer into PL_linestr after lookahead
+
+    Looking ahead for the "Missing $ on loop variable" diagnostic can 
reallocate
+    PL_linestr, invalidating our pointer. Save the offset so we can update it
+    in that case.
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ toke.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/toke.c b/toke.c
+index 999eb2c..da3ff73 100644
+--- a/toke.c
++++ b/toke.c
+@@ -7318,6 +7318,7 @@ Perl_yylex(pTHX)
+           s = skipspace(s);
+           if (PL_expect == XSTATE && isIDFIRST_lazy_if(s,UTF)) {
+               char *p = s;
++                SSize_t s_off = s - SvPVX(PL_linestr);
+ 
+               if ((PL_bufend - p) >= 3 &&
+                   strnEQ(p, "my", 2) && isSPACE(*(p + 2)))
+@@ -7333,6 +7334,9 @@ Perl_yylex(pTHX)
+               }
+               if (*p != '$')
+                   Perl_croak(aTHX_ "Missing $ on loop variable");
++
++                /* The buffer may have been reallocated, update s */
++                s = SvPVX(PL_linestr) + s_off;
+           }
+           OPERATOR(FOR);
+ 
+-- 
+2.7.4
+
diff --git a/perl-5.25.10-fix-VMS-test-fail.patch 
b/perl-5.25.10-fix-VMS-test-fail.patch
new file mode 100644
index 0000000..38cc190
--- /dev/null
+++ b/perl-5.25.10-fix-VMS-test-fail.patch
@@ -0,0 +1,44 @@
+From bce4a2abeb8652d19e97d3bf07dd2580a3cc2e6c Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <[email protected]>
+Date: Sat, 25 Feb 2017 10:42:17 +0000
+Subject: [PATCH] fix VMS test fail
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+d7186add added a runperl() test that breaks command line length limits for
+VMS. Switch to fresh_perl() instead, so the prog is put in a file for us.
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ t/comp/parser_run.t | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t
+index 2543f49..e74644d 100644
+--- a/t/comp/parser_run.t
++++ b/t/comp/parser_run.t
+@@ -14,14 +14,14 @@ plan(1);
+ 
+ # [perl #130814] can reallocate lineptr while looking ahead for
+ # "Missing $ on loop variable" diagnostic.
+-my $result = runperl(
+-    prog => " foreach m0\n\$" . ("0" x 0x2000),
+-    stderr => 1,
++my $result = fresh_perl(
++    " foreach m0\n\$" . ("0" x 0x2000),
++    { stderr => 1 },
+ );
+-is($result, <<EXPECT);
+-syntax error at -e line 3, near "foreach m0
++is($result . "\n", <<EXPECT);
++syntax error at - line 3, near "foreach m0
+ "
+-Identifier too long at -e line 3.
++Identifier too long at - line 3.
+ EXPECT
+ 
+ __END__
+-- 
+2.7.4
+
diff --git 
a/perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch 
b/perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch
new file mode 100644
index 0000000..570df14
--- /dev/null
+++ b/perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch
@@ -0,0 +1,55 @@
+From d7186addd1b477f6bdcef5e9d24f2125691a9082 Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <[email protected]>
+Date: Sun, 19 Feb 2017 11:15:38 +0000
+Subject: [PATCH] [perl #130814] Add testcase, and new testfile
+ t/comp/parser_run.t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sometimes it's useful to have test.pl around, but it seems inappropriate
+to pollute the existing t/comp/parser.t with that.
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ t/comp/parser_run.t | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+ create mode 100644 t/comp/parser_run.t
+
+diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t
+new file mode 100644
+index 0000000..2543f49
+--- /dev/null
++++ b/t/comp/parser_run.t
+@@ -0,0 +1,28 @@
++#!./perl
++
++# Parser tests that want test.pl, eg to use runperl() for tests to show
++# reads through invalid pointers.
++# Note that this should still be runnable under miniperl.
++
++BEGIN {
++    @INC = qw(. ../lib );
++    chdir 't' if -d 't';
++}
++
++require './test.pl';
++plan(1);
++
++# [perl #130814] can reallocate lineptr while looking ahead for
++# "Missing $ on loop variable" diagnostic.
++my $result = runperl(
++    prog => " foreach m0\n\$" . ("0" x 0x2000),
++    stderr => 1,
++);
++is($result, <<EXPECT);
++syntax error at -e line 3, near "foreach m0
++"
++Identifier too long at -e line 3.
++EXPECT
++
++__END__
++# ex: set ts=8 sts=4 sw=4 et:
+-- 
+2.7.4
+
diff --git a/perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch 
b/perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch
new file mode 100644
index 0000000..24d7f60
--- /dev/null
+++ b/perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch
@@ -0,0 +1,74 @@
+From f6203e997f3012b8aab4cd35fe49f58e4d71fb8c Mon Sep 17 00:00:00 2001
+From: Karl Williamson <[email protected]>
+Date: Sun, 10 Jul 2016 22:06:12 -0600
+Subject: [PATCH] t/test.pl: Add fresh_perl() function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This will be useful for cases where the results don't readily fall into
+fresh_perl_is and fresh_perl_like, such as when a bunch of massaging of
+the results is needed before it is convenient to test them.
+fresh_perl_like() could be used, but in the case of failure there could
+be lines and lines of noise output.
+
+Signed-off-by: Petr Písař <[email protected]>
+---
+ t/test.pl | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/t/test.pl b/t/test.pl
+index 41b77f4..20d08e9 100644
+--- a/t/test.pl
++++ b/t/test.pl
+@@ -953,11 +953,16 @@ sub register_tempfile {
+     return $count;
+ }
+ 
+-# This is the temporary file for _fresh_perl
++# This is the temporary file for fresh_perl
+ my $tmpfile = tempfile();
+ 
+-sub _fresh_perl {
+-    my($prog, $action, $expect, $runperl_args, $name) = @_;
++sub fresh_perl {
++    my($prog, $runperl_args) = @_;
++
++    # Run 'runperl' with the complete perl program contained in '$prog', and
++    # arguments in the hash referred to by '$runperl_args'.  The results are
++    # returned, with $? set to the exit code.  Unless overridden, stderr is
++    # redirected to stdout.
+ 
+     # Given the choice of the mis-parsable {}
+     # (we want an anon hash, but a borked lexer might think that it's a block)
+@@ -975,7 +980,8 @@ sub _fresh_perl {
+     close TEST or die "Cannot close $tmpfile: $!";
+ 
+     my $results = runperl(%$runperl_args);
+-    my $status = $?;
++    my $status = $?;    # Not necessary to save this, but it makes it clear to
++                        # future maintainers.
+ 
+     # Clean up the results into something a bit more predictable.
+     $results  =~ s/\n+$//;
+@@ -994,6 +1000,17 @@ sub _fresh_perl {
+         $results =~ s/\n\n/\n/g;
+     }
+ 
++    $? = $status;
++    return $results;
++}
++
++
++sub _fresh_perl {
++    my($prog, $action, $expect, $runperl_args, $name) = @_;
++
++    my $results = fresh_perl($prog, $runperl_args);
++    my $status = $?;
++
+     # Use the first line of the program as a name if none was given
+     unless( $name ) {
+         ($first_line, $name) = $prog =~ /^((.{1,50}).*)/;
+-- 
+2.7.4
+
diff --git a/perl.spec b/perl.spec
index 248eda7..3eacb2d 100644
--- a/perl.spec
+++ b/perl.spec
@@ -215,6 +215,16 @@ Patch71:        
perl-5.22.3-perl-129340-copy-the-source-when-inside-the-dest-in-
 # in upstream after 5.25.10
 Patch72:        
perl-5.22.3-perl-130822-fix-an-AV-leak-in-Perl_reg_named_buff_fe.patch
 
+# Fix an invalid memory read when parsing a loop variable, RT#130814,
+# in upstream after 5.25.10
+Patch73:        
perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch
+# in upstream after 5.25.10
+Patch74:        
perl-5.22.3-perl-130814-update-pointer-into-PL_linestr-after-loo.patch
+# in upstream after 5.25.2
+Patch75:        perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch
+# in upstream after 5.25.10
+Patch76:        perl-5.25.10-fix-VMS-test-fail.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       
perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -2529,6 +2539,10 @@ Perl extension for Version Objects
 %patch70 -p1
 %patch71 -p1
 %patch72 -p1
+%patch73 -p1
+%patch74 -p1
+%patch75 -p1
+%patch76 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -2586,6 +2600,7 @@ perl -x patchlevel.h \
     'Fedora Patch70: Fix a null-pointer dereference on malformed code 
(RT#130815)' \
     'Fedora Patch71: Fix an use-after-free in substr() that modifies a magic 
variable (RT#129340)' \
     'Fedora Patch72: Fix a memory leak leak in Perl_reg_named_buff_fetch() 
(RT#130822)' \
+    'Fedora Patch73: Fix an invalid memory read when parsing a loop variable 
(RT#130814)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on 
Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -4842,6 +4857,7 @@ popd
 - Fix a null-pointer dereference on malformed code (RT#130815)
 - Fix an use-after-free in substr() that modifies a magic variable (RT#129340)
 - Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)
+- Fix an invalid memory read when parsing a loop variable (RT#130814)
 
 * Fri Feb 17 2017 Petr Pisar <[email protected]> - 4:5.22.3-369
 - Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)
-- 
cgit v1.1


        
https://src.fedoraproject.org/cgit/perl.git/commit/?h=f24&id=7d019df066f34c6953a40931fe2bb444f681d51c
_______________________________________________
perl-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to