Fix a buffer overread in when parsing a number

perl-5.30.1-handle-s-being-updated-without-len-being-updated.patch

@@ -0,0 +1,47 @@
+From a0148bb8496444302b087bc0ffcf8dad42f8e475 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Mon, 11 Nov 2019 14:43:42 +1100
+Subject: [PATCH] handle s being updated without len being updated
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+fix #17279
+
+Petr Písař: Ported to 5.30.1 from
+e56dfd967ce460481a9922d14e931b438548093d.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ numeric.c           | 2 +-
+ t/lib/croak/regcomp | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/numeric.c b/numeric.c
+index d6ce53e..35adebe 100644
+--- a/numeric.c
++++ b/numeric.c
+@@ -1552,7 +1552,7 @@ Perl_my_atof3(pTHX_ const char* orig, NV* value, const STRLEN len)
+         /* strtold() accepts 0x-prefixed hex and in POSIX implementations,
+            0b-prefixed binary numbers, which is backward incompatible
+         */
+-        if ((len == 0 || len >= 2) && *s == '0' &&
++        if ((len == 0 || len - (s-orig) >= 2) && *s == '0' &&
+             (isALPHA_FOLD_EQ(s[1], 'x') || isALPHA_FOLD_EQ(s[1], 'b'))) {
+             *value = 0;
+             return (char *)s+1;
+diff --git a/t/lib/croak/regcomp b/t/lib/croak/regcomp
+index 0ba705e..c0c2710 100644
+--- a/t/lib/croak/regcomp
++++ b/t/lib/croak/regcomp
+@@ -70,3 +70,7 @@ qr/((a))/;
+ EXPECT
+ Too many nested open parens in regex; marked by <-- HERE in m/(( <-- HERE a))/ at - line 3.
+ ########
++# NAME numeric parsing buffer overflow in numeric.c
++0=~/\p{nV:-0}/
++EXPECT
++Can't find Unicode property definition "nV:-0" in regex; marked by <-- HERE in m/\p{nV:-0} <-- HERE / at - line 1.
+-- 
+2.21.0
+

perl.spec

@@ -284,6 +284,10 @@ Patch69:        perl-5.31.5-toke.c-comment-changes.patch
 # Fix a race in File::stat() tests, GH#17234, in upstream after 5.31.5
 Patch70:        perl-5.31.5-prevent-a-race-between-name-based-stat-and-an-open-m.patch
 
+# Fix a buffer overread in when parsing a number, GH#17279,
+# in upstream after 5.31.5
+Patch71:        perl-5.30.1-handle-s-being-updated-without-len-being-updated.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -2875,6 +2879,7 @@ rm -rf .git # Perl tests examine a git repository
 %patch68 -p1
 %patch69 -p1
 %patch70 -p1
+%patch71 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -2940,6 +2945,7 @@ perl -x patchlevel.h \
     'Fedora Patch68: Fix an unintended upgrade to UTF-8 in the middle of a transliteration' \
     'Fedora Patch69: Fix an unintended upgrade to UTF-8 in the middle of a transliteration' \
     'Fedora Patch70: Fix a race in File::stat() tests (GH#17234)' \
+    'Fedora Patch71: Fix a buffer overread in when parsing a number (GH#17279)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -5192,6 +5198,7 @@ popd
 - Fix handling a layer argument in Tie::StdHandle::BINMODE() (RT#132475)
 - Fix an unintended upgrade to UTF-8 in the middle of a transliteration
 - Fix a race in File::stat() tests (GH#17234)
+- Fix a buffer overread in when parsing a number (GH#17279)
 
 * Mon Nov 11 2019 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.30.1-447
 - 5.30.1 bump (see <https://metacpan.org/pod/release/SHAY/perl-5.30.1/pod/perldelta.pod>