Fix crash in Storable when deserializing malformed code reference

2016-12-20 13:24:36 +01:00 · 2016-12-20 13:24:36 +01:00 · 2d6c9c3a89
parent 82773d404f
commit 2d6c9c3a89
2 changed files with 70 additions and 1 deletions
--- a/perl-5.25.7-Fix-Storable-segfaults.patch
+++ b/perl-5.25.7-Fix-Storable-segfaults.patch
@ -0,0 +1,61 @@
+From fecd3be8dbdb747b9cbf4cbb9299ce40faabc8e6 Mon Sep 17 00:00:00 2001
+From: John Lightsey <lightsey@debian.org>
+Date: Mon, 14 Nov 2016 11:56:15 +0100
+Subject: [PATCH] Fix Storable segfaults.
+
+Fix a null pointed dereference segfault in storable when the
+retrieve_code logic was unable to read the string that contained
+the code.
+
+Also fix several locations where retrieve_other was called with a
+null context pointer. This also resulted in a null pointer
+dereference.
+---
+ dist/Storable/Storable.xs | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
+index 053951c..caa489c 100644
+--- a/dist/Storable/Storable.xs
+++ b/dist/Storable/Storable.xs
+@@ -5647,6 +5647,10 @@ static SV *retrieve_code(pTHX_ stcxt_t *cxt, const char *cname)
+ 		CROAK(("Unexpected type %d in retrieve_code\n", type));
+ 	}
+ 
+	if (!text) {
+		CROAK(("Unable to retrieve code\n"));
+	}
+
+ 	/*
+ 	 * prepend "sub " to the source
+ 	 */
+@@ -5767,7 +5771,7 @@ static SV *old_retrieve_array(pTHX_ stcxt_t *cxt, const char *cname)
+ 			continue;			/* av_extend() already filled us with undef */
+ 		}
+ 		if (c != SX_ITEM)
+-			(void) retrieve_other(aTHX_ (stcxt_t *) 0, 0);	/* Will croak out */
+			(void) retrieve_other(aTHX_ cxt, 0);	/* Will croak out */
+ 		TRACEME(("(#%d) item", i));
+ 		sv = retrieve(aTHX_ cxt, 0);						/* Retrieve item */
+ 		if (!sv)
+@@ -5844,7 +5848,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname)
+ 			if (!sv)
+ 				return (SV *) 0;
+ 		} else
+-			(void) retrieve_other(aTHX_ (stcxt_t *) 0, 0);	/* Will croak out */
+			(void) retrieve_other(aTHX_ cxt, 0);	/* Will croak out */
+ 
+ 		/*
+ 		 * Get key.
+@@ -5855,7 +5859,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname)
+ 
+ 		GETMARK(c);
+ 		if (c != SX_KEY)
+-			(void) retrieve_other(aTHX_ (stcxt_t *) 0, 0);	/* Will croak out */
+			(void) retrieve_other(aTHX_ cxt, 0);	/* Will croak out */
+ 		RLEN(size);						/* Get key size */
+ 		KBUFCHK((STRLEN)size);					/* Grow hash key read pool if needed */
+ 		if (size)
+-- 
+2.10.2
+
--- a/perl-Storable.spec
+++ b/perl-Storable.spec
@ -3,7 +3,7 @@
 Name:           perl-Storable
 Epoch:          1
 Version:        2.56
-Release:        366%{?dist}
+Release:        367%{?dist}
 Summary:        Persistence for Perl data structures
 License:        GPL+ or Artistic
 Group:          Development/Libraries
@ -15,6 +15,9 @@ Patch0:         Storable-2.51-Upgrade-to-2.53.patch
 Patch1:         Storable-2.53-Upgrade-to-2.56.patch
 # Avoid loading optional modules from default . (CVE-2016-1238)
 Patch2:         Storable-2.56-CVE-2016-1238-avoid-loading-optional-modules-from.patch
+# Fix crash in Storable when deserializing malformed code reference, RT#68348,
+# RT130098
+Patch3:         perl-5.25.7-Fix-Storable-segfaults.patch
 BuildRequires:  perl
 BuildRequires:  perl-devel
 BuildRequires:  perl-generators
@ -69,6 +72,7 @@ can be conveniently stored to disk and retrieved at a later time.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p3
 # Remove bundled modules
 rm -rf t/compat
 sed -i -e '/^t\/compat\//d' MANIFEST
@ -95,6 +99,10 @@ make test
 %{_mandir}/man3/*

 %changelog
+* Tue Dec 20 2016 Petr Pisar <ppisar@redhat.com> - 1:2.56-367
+- Fix crash in Storable when deserializing malformed code reference
+  (RT#68348, RT#130098)
+
 * Wed Aug 03 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.56-366
 - Avoid loading optional modules from default . (CVE-2016-1238)