From 068fd059bed312226307e5039b50142f43e13d4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Fri, 16 Jun 2017 15:22:46 +0200
Subject: Fix a buffer overflow in my_atof2()
---
...-don-t-go-beyond-the-end-of-the-NUL-in-my.patch | 37 ++++++++++++++++++++++
perl.spec | 6 ++++
2 files changed, 43 insertions(+)
create mode 100644
perl-5.27.0-perl-131526-don-t-go-beyond-the-end-of-the-NUL-in-my.patch
diff --git
a/perl-5.27.0-perl-131526-don-t-go-beyond-the-end-of-the-NUL-in-my.patch
b/perl-5.27.0-perl-131526-don-t-go-beyond-the-end-of-the-NUL-in-my.patch
new file mode 100644
index 0000000..05b2c80
--- /dev/null
+++ b/perl-5.27.0-perl-131526-don-t-go-beyond-the-end-of-the-NUL-in-my.patch
@@ -0,0 +1,37 @@
+From 9604fbf0722bd97ca6031a263c50ad52b6633db7 Mon Sep 17 00:00:00 2001
+From: Tony Cook <t...@develop-help.com>
+Date: Wed, 14 Jun 2017 09:42:31 +1000
+Subject: [PATCH] (perl #131526) don't go beyond the end of the NUL in my_atof2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Perl_my_atof2() calls GROK_NUMERIC_RADIX() to detect and skip past
+a decimal point and then can increment the parse pointer (s) before
+checking what it points at, so skipping the terminating NUL if the
+decimal point is immediately before the NUL.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ numeric.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/numeric.c b/numeric.c
+index 6ea6968..5771907 100644
+--- a/numeric.c
++++ b/numeric.c
+@@ -1485,9 +1485,9 @@ Perl_my_atof2(pTHX_ const char* orig, NV* value)
+ else if (!seen_dp && GROK_NUMERIC_RADIX(&s, send)) {
+ seen_dp = 1;
+ if (sig_digits > MAX_SIG_DIGITS) {
+- do {
++ while (isDIGIT(*s)) {
+ ++s;
+- } while (isDIGIT(*s));
++ }
+ break;
+ }
+ }
+--
+2.9.4
+
diff --git a/perl.spec b/perl.spec
index a01b07c..0273278 100644
--- a/perl.spec
+++ b/perl.spec
@@ -363,6 +363,9 @@ Patch101:
perl-5.27.0-perl-131221-sv_dup-sv_dup_inc-are-only-available-und
# in upstream after 5.27.0
Patch102:
perl-5.24.1-perl-131263-clear-the-UTF8-flag-on-a-glob-if-it-isn-.patch
+# Fix a buffer overflow in my_atof2(), RT#131526, in upstream after 5.27.0
+Patch103:
perl-5.27.0-perl-131526-don-t-go-beyond-the-end-of-the-NUL-in-my.patch
+
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
Patch200:
perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@@ -3103,6 +3106,7 @@ popd
%patch100 -p1
%patch101 -p1
%patch102 -p1
+%patch103 -p1
%patch200 -p1
%patch201 -p1
@@ -3185,6 +3189,7 @@ perl -x patchlevel.h \
'Fedora Patch99: Fix an improper cast of a negative integer to an unsigned
8-bit type (RT#131190)' \
'Fedora Patch100: Fix cloning :via handles on thread creation (RT#131221)'
\
'Fedora Patch102: Fix glob UTF-8 flag on a glob reassignment (RT#131263)' \
+ 'Fedora Patch103: Fix a buffer overflow in my_atof2() (RT#131526)' \
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on
Linux' \
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
%{nil}
@@ -5482,6 +5487,7 @@ popd
- Fix an improper cast of a negative integer to an unsigned 8-bit type
(RT#131190)
- Fix cloning :via handles on thread creation (RT#131221)
- Fix glob UTF-8 flag on a glob reassignment (RT#131263)
+- Fix a buffer overflow in my_atof2() (RT#131526)
* Fri Mar 31 2017 Petr Pisar <ppi...@redhat.com> - 4:5.24.1-391
- Introduce build-conditions for groff, systemtap, syslog tests, and tcsh
--
cgit v1.1
https://src.fedoraproject.org/cgit/perl.git/commit/?h=f26&id=068fd059bed312226307e5039b50142f43e13d4a
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
