Fix a buffer overflow when processing a vstring longer than 2^31-1

perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch

@@ -0,0 +1,67 @@
+From ea1e86cfdf26a330e58ea377a80273de7110011b Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 21 Aug 2019 11:37:58 +1000
+Subject: [PATCH] disallow vstring magic strings over 2GB-1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On reads this could result in buffer overflows, so avoid writing
+such large vstrings to avoid causing problems for older Storable.
+
+Since we no longer write such large vstrings, we don't want to accept
+them.
+
+I doubt that restricting versions strings to under 2GB-1 will have
+a practical effect on downstream users.
+
+fixes #17306
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ dist/Storable/Storable.xs | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
+index c2335680ab..d27ac58012 100644
+--- a/dist/Storable/Storable.xs
++++ b/dist/Storable/Storable.xs
+@@ -2628,6 +2628,12 @@ static int store_scalar(pTHX_ stcxt_t *cxt, SV *sv)
+             /* The macro passes this by address, not value, and a lot of
+                called code assumes that it's 32 bits without checking.  */
+             const SSize_t len = mg->mg_len;
++            /* we no longer accept vstrings over I32_SIZE-1, so don't emit
++               them, also, older Storables handle them badly.
++            */
++            if (len >= I32_MAX) {
++                CROAK(("vstring too large to freeze"));
++            }
+             STORE_PV_LEN((const char *)mg->mg_ptr,
+                          len, SX_VSTRING, SX_LVSTRING);
+         }
+@@ -5937,12 +5943,19 @@ static SV *retrieve_lvstring(pTHX_ stcxt_t *cxt, const char *cname)
+ {
+ #ifdef SvVOK
+     char *s;
+-    I32 len;
++    U32 len;
+     SV *sv;
+ 
+     RLEN(len);
+-    TRACEME(("retrieve_lvstring (#%d), len = %" IVdf,
+-             (int)cxt->tagnum, (IV)len));
++    TRACEME(("retrieve_lvstring (#%d), len = %" UVuf,
++             (int)cxt->tagnum, (UV)len));
++
++    /* Since we'll no longer produce such large vstrings, reject them
++       here too.
++    */
++    if (len >= I32_MAX) {
++        CROAK(("vstring too large to fetch"));
++    }
+ 
+     New(10003, s, len+1, char);
+     SAFEPVREAD(s, len, s);
+-- 
+2.21.0
+

perl-Storable.spec

@@ -1,7 +1,7 @@
 Name:           perl-Storable
 Epoch:          1
 Version:        3.15
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Persistence for Perl data structures
 # __Storable__.pm:  GPL+ or Artistic
 License:        GPL+ or Artistic
@@ -12,6 +12,9 @@ Source0:        https://cpan.metacpan.org/authors/id/X/XS/XSAWYERX/Storable-%{ve
 Patch0:         Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch
 # Fix array length check in a store hook, in Perl upstream after 5.31.2
 Patch1:         Storable-3.16-Storable-make-count-large-enough.patch
+# Fix a buffer overflow when processing a vstring longer than 2^31-1,
+# Perl GH#17306, in perl upstream after 5.31.6
+Patch2:         perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  perl-devel
@@ -73,6 +76,7 @@ can be conveniently stored to disk and retrieved at a later time.
 %setup -q -n Storable-%{version}
 %patch0 -p3
 %patch1 -p3
+%patch2 -p3
 
 %build
 perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS"
@@ -95,6 +99,10 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-4
+- Fix a buffer overflow when processing a vstring longer than 2^31-1
+  (Perl GH#17306)
+
 * Thu Aug 08 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-3
 - Fix array length check in a store hook