Fix a buffer overflow when processing a vstring longer than 2^31-1
This commit is contained in:
parent
c1517c8a01
commit
539842d610
|
@ -0,0 +1,67 @@
|
|||
From ea1e86cfdf26a330e58ea377a80273de7110011b Mon Sep 17 00:00:00 2001
|
||||
From: Tony Cook <tony@develop-help.com>
|
||||
Date: Wed, 21 Aug 2019 11:37:58 +1000
|
||||
Subject: [PATCH] disallow vstring magic strings over 2GB-1
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
On reads this could result in buffer overflows, so avoid writing
|
||||
such large vstrings to avoid causing problems for older Storable.
|
||||
|
||||
Since we no longer write such large vstrings, we don't want to accept
|
||||
them.
|
||||
|
||||
I doubt that restricting versions strings to under 2GB-1 will have
|
||||
a practical effect on downstream users.
|
||||
|
||||
fixes #17306
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
dist/Storable/Storable.xs | 19 ++++++++++++++++---
|
||||
1 file changed, 16 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
|
||||
index c2335680ab..d27ac58012 100644
|
||||
--- a/dist/Storable/Storable.xs
|
||||
+++ b/dist/Storable/Storable.xs
|
||||
@@ -2628,6 +2628,12 @@ static int store_scalar(pTHX_ stcxt_t *cxt, SV *sv)
|
||||
/* The macro passes this by address, not value, and a lot of
|
||||
called code assumes that it's 32 bits without checking. */
|
||||
const SSize_t len = mg->mg_len;
|
||||
+ /* we no longer accept vstrings over I32_SIZE-1, so don't emit
|
||||
+ them, also, older Storables handle them badly.
|
||||
+ */
|
||||
+ if (len >= I32_MAX) {
|
||||
+ CROAK(("vstring too large to freeze"));
|
||||
+ }
|
||||
STORE_PV_LEN((const char *)mg->mg_ptr,
|
||||
len, SX_VSTRING, SX_LVSTRING);
|
||||
}
|
||||
@@ -5937,12 +5943,19 @@ static SV *retrieve_lvstring(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
{
|
||||
#ifdef SvVOK
|
||||
char *s;
|
||||
- I32 len;
|
||||
+ U32 len;
|
||||
SV *sv;
|
||||
|
||||
RLEN(len);
|
||||
- TRACEME(("retrieve_lvstring (#%d), len = %" IVdf,
|
||||
- (int)cxt->tagnum, (IV)len));
|
||||
+ TRACEME(("retrieve_lvstring (#%d), len = %" UVuf,
|
||||
+ (int)cxt->tagnum, (UV)len));
|
||||
+
|
||||
+ /* Since we'll no longer produce such large vstrings, reject them
|
||||
+ here too.
|
||||
+ */
|
||||
+ if (len >= I32_MAX) {
|
||||
+ CROAK(("vstring too large to fetch"));
|
||||
+ }
|
||||
|
||||
New(10003, s, len+1, char);
|
||||
SAFEPVREAD(s, len, s);
|
||||
--
|
||||
2.21.0
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
Name: perl-Storable
|
||||
Epoch: 1
|
||||
Version: 3.15
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Persistence for Perl data structures
|
||||
# __Storable__.pm: GPL+ or Artistic
|
||||
License: GPL+ or Artistic
|
||||
|
@ -12,6 +12,9 @@ Source0: https://cpan.metacpan.org/authors/id/X/XS/XSAWYERX/Storable-%{ve
|
|||
Patch0: Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch
|
||||
# Fix array length check in a store hook, in Perl upstream after 5.31.2
|
||||
Patch1: Storable-3.16-Storable-make-count-large-enough.patch
|
||||
# Fix a buffer overflow when processing a vstring longer than 2^31-1,
|
||||
# Perl GH#17306, in perl upstream after 5.31.6
|
||||
Patch2: perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
BuildRequires: perl-devel
|
||||
|
@ -73,6 +76,7 @@ can be conveniently stored to disk and retrieved at a later time.
|
|||
%setup -q -n Storable-%{version}
|
||||
%patch0 -p3
|
||||
%patch1 -p3
|
||||
%patch2 -p3
|
||||
|
||||
%build
|
||||
perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS"
|
||||
|
@ -95,6 +99,10 @@ make test
|
|||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-4
|
||||
- Fix a buffer overflow when processing a vstring longer than 2^31-1
|
||||
(Perl GH#17306)
|
||||
|
||||
* Thu Aug 08 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-3
|
||||
- Fix array length check in a store hook
|
||||
|
||||
|
|
Loading…
Reference in New Issue