Fix a heap-use-after-free in four-arguments substr call

perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch

@@ -0,0 +1,70 @@
+From 4e0fb37303b72ed9d38949139c304abdb73e223e Mon Sep 17 00:00:00 2001
+From: Aaron Crane <arc@cpan.org>
+Date: Tue, 24 Jan 2017 23:39:40 +0000
+Subject: [PATCH] RT#130624: heap-use-after-free in 4-arg substr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported to 5.24.1:
+
+commit 41b1e858a075694f88057b9514f5fc78c80b5355
+Author: Aaron Crane <arc@cpan.org>
+Date:   Tue Jan 24 23:39:40 2017 +0000
+
+    RT#130624: heap-use-after-free in 4-arg substr
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ pp.c          |  4 +++-
+ t/op/substr.t | 14 +++++++++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/pp.c b/pp.c
+index 334b353..aa6cff0 100644
+--- a/pp.c
++++ b/pp.c
+@@ -3462,8 +3462,10 @@ PP(pp_substr)
+ 	tmps = SvPV_force_nomg(sv, curlen);
+ 	if (DO_UTF8(repl_sv) && repl_len) {
+ 	    if (!DO_UTF8(sv)) {
++                /* Upgrade the dest, and recalculate tmps in case the buffer
++                 * got reallocated; curlen may also have been changed */
+ 		sv_utf8_upgrade_nomg(sv);
+-		curlen = SvCUR(sv);
++		tmps = SvPV_nomg(sv, curlen);
+ 	    }
+ 	}
+ 	else if (DO_UTF8(sv))
+diff --git a/t/op/substr.t b/t/op/substr.t
+index 01c36a9..f9fee48 100644
+--- a/t/op/substr.t
++++ b/t/op/substr.t
+@@ -22,7 +22,7 @@ $SIG{__WARN__} = sub {
+      }
+ };
+ 
+-plan(389);
++plan(391);
+ 
+ run_tests() unless caller;
+ 
+@@ -872,3 +872,15 @@ is($destroyed, 1, 'Timely scalar destruction with lvalue substr');
+ 
+ # failed with ASAN
+ fresh_perl_is('$0 = "/usr/bin/perl"; substr($0, 0, 0, $0)', '', {}, "(perl #129340) substr() with source in target");
++
++
++# [perl #130624] - heap-use-after-free, observable under asan
++{
++    my $x = "\xE9zzzz";
++    my $y = "\x{100}";
++    my $z = substr $x, 0, 1, $y;
++    is $z, "\xE9",        "RT#130624: heap-use-after-free in 4-arg substr (ret)";
++    is $x, "\x{100}zzzz", "RT#130624: heap-use-after-free in 4-arg substr (targ)";
++}
++
++
+-- 
+2.7.4
+

perl.spec

@@ -323,6 +323,10 @@ Patch92:        perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch
 # in upstream after 5.25.10
 Patch93:        perl-5.25.10-fix-VMS-test-fail.patch
 
+# Fix a heap-use-after-free in four-arguments substr call, RT#130624,
+# in upstream after 5.25.10
+Patch94:        perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -3042,6 +3046,7 @@ popd
 %patch91 -p1
 %patch92 -p1
 %patch93 -p1
+%patch94 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -3117,6 +3122,7 @@ perl -x patchlevel.h \
     'Fedora Patch88: Fix an use-after-free in substr() that modifies a magic variable (RT#129340)' \
     'Fedora Patch89: Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)' \
     'Fedora Patch90: Fix an invalid memory read when parsing a loop variable (RT#130814)' \
+    'Fedora Patch94: Fix a heap-use-after-free in four-arguments substr call (RT#130624)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -5398,6 +5404,7 @@ popd
 - Fix an use-after-free in substr() that modifies a magic variable (RT#129340)
 - Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)
 - Fix an invalid memory read when parsing a loop variable (RT#130814)
+- Fix a heap-use-after-free in four-arguments substr call (RT#130624)
 
 * Fri Feb 17 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-389
 - Adapt Compress::Raw::Zlib to zlib-1.2.11 (bug #1420326)