Fix a buffer overread in when parsing a number

2019-11-12 17:18:17 +01:00 · 2019-11-12 17:18:17 +01:00 · 148d5a6bc6
commit 148d5a6bc6
parent 126f691220
2 changed files with 54 additions and 0 deletions
--- a/perl-5.30.1-handle-s-being-updated-without-len-being-updated.patch
+++ b/perl-5.30.1-handle-s-being-updated-without-len-being-updated.patch
@ -0,0 +1,47 @@
 From a0148bb8496444302b087bc0ffcf8dad42f8e475 Mon Sep 17 00:00:00 2001
 From: Tony Cook <tony@develop-help.com>
 Date: Mon, 11 Nov 2019 14:43:42 +1100
 Subject: [PATCH] handle s being updated without len being updated
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 fix #17279
 Petr Písař: Ported to 5.30.1 from
 e56dfd967ce460481a9922d14e931b438548093d.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 numeric.c           | 2 +-
 t/lib/croak/regcomp | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)
 diff --git a/numeric.c b/numeric.c
 index d6ce53e..35adebe 100644
 --- a/numeric.c
 +++ b/numeric.c
@@ -1552,7 +1552,7 @@ Perl_my_atof3(pTHX_ const char* orig, NV* value, const STRLEN len)
         /* strtold() accepts 0x-prefixed hex and in POSIX implementations,
            0b-prefixed binary numbers, which is backward incompatible
         */
 -        if ((len == 0 || len >= 2) && *s == '0' &&
 +        if ((len == 0 || len - (s-orig) >= 2) && *s == '0' &&
             (isALPHA_FOLD_EQ(s[1], 'x') || isALPHA_FOLD_EQ(s[1], 'b'))) {
             *value = 0;
             return (char *)s+1;
 diff --git a/t/lib/croak/regcomp b/t/lib/croak/regcomp
 index 0ba705e..c0c2710 100644
 --- a/t/lib/croak/regcomp
 +++ b/t/lib/croak/regcomp
@@ -70,3 +70,7 @@ qr/((a))/;
 EXPECT
 Too many nested open parens in regex; marked by <-- HERE in m/(( <-- HERE a))/ at - line 3.
 ########
 +# NAME numeric parsing buffer overflow in numeric.c
 +0=~/\p{nV:-0}/
 +EXPECT
 +Can't find Unicode property definition "nV:-0" in regex; marked by <-- HERE in m/\p{nV:-0} <-- HERE / at - line 1.
 -- 
 2.21.0
--- a/perl.spec
+++ b/perl.spec
@ -284,6 +284,10 @@ Patch69:        perl-5.31.5-toke.c-comment-changes.patch
 # Fix a race in File::stat() tests, GH#17234, in upstream after 5.31.5
 Patch70:        perl-5.31.5-prevent-a-race-between-name-based-stat-and-an-open-m.patch
 # Fix a buffer overread in when parsing a number, GH#17279,
 # in upstream after 5.31.5
 Patch71:        perl-5.30.1-handle-s-being-updated-without-len-being-updated.patch
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -2875,6 +2879,7 @@ rm -rf .git # Perl tests examine a git repository
 %patch68 -p1
 %patch69 -p1
 %patch70 -p1
 %patch71 -p1
 %patch200 -p1
 %patch201 -p1
@ -2940,6 +2945,7 @@ perl -x patchlevel.h \
    'Fedora Patch68: Fix an unintended upgrade to UTF-8 in the middle of a transliteration' \
    'Fedora Patch69: Fix an unintended upgrade to UTF-8 in the middle of a transliteration' \
    'Fedora Patch70: Fix a race in File::stat() tests (GH#17234)' \
    'Fedora Patch71: Fix a buffer overread in when parsing a number (GH#17279)' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    %{nil}
@ -5192,6 +5198,7 @@ popd
 - Fix handling a layer argument in Tie::StdHandle::BINMODE() (RT#132475)
 - Fix an unintended upgrade to UTF-8 in the middle of a transliteration
 - Fix a race in File::stat() tests (GH#17234)
 - Fix a buffer overread in when parsing a number (GH#17279)
 * Mon Nov 11 2019 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.30.1-447
 - 5.30.1 bump (see <https://metacpan.org/pod/release/SHAY/perl-5.30.1/pod/perldelta.pod>