[perl/f15] Change Perl_repeatcpy() prototype to allow repeat count above 2^31

Petr Pisar ppisar at fedoraproject.org
Fri Nov 4 15:17:15 UTC 2011 

commit fb9ad728ff3d60866b1cd721608ce0279c208147
Author: Petr Písař <ppisar at redhat.com>
Date:   Thu Oct 6 17:43:19 2011 +0200

    Change Perl_repeatcpy() prototype to allow repeat count above 2^31

 perl-5.14.2-large-repeat-heap-abuse.patch |   76 +++++++++++++++++++++++++++++
 perl.spec                                 |   17 ++++++-
 2 files changed, 91 insertions(+), 2 deletions(-)
---
diff --git a/perl-5.14.2-large-repeat-heap-abuse.patch b/perl-5.14.2-large-repeat-heap-abuse.patch
new file mode 100644
index 0000000..1793c7a
--- /dev/null
+++ b/perl-5.14.2-large-repeat-heap-abuse.patch
@@ -0,0 +1,76 @@
+From 647b6565b7d935eb9b92e057d0c7ae5fe54726e2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Thu, 6 Oct 2011 16:35:49 +0200
+Subject: [PATCH] Don't segfault given string repeat count larger than 2^31
+
+E.g., this overflows INT_MAX and overruns heap memory:
+
+    $ perl -le 'print "v"x(2**31+1)'
+    [Exit 139 (SEGV)]
+
+(Perl_repeatcpy): Use the same type for "count" as our sole
+callers in pp.c: IV (long), not I32 (int).  Otherwise, passing
+the wider value to a narrower "I32 count"
+
+    http://thread.gmane.org/gmane.comp.lang.perl.perl5.porters/96812
+    https://rt.perl.org/rt3/Ticket/Display.html?id=94560
+
+Original author: Jim Meyering <meyering at redhat.com>
+Petr Pisar: Modify embed.fnc instead of generated proto.h
+---
+ embed.fnc |    2 +-
+ util.c    |    8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/embed.fnc b/embed.fnc
+index bce167e..8c86a3e 100644
+--- a/embed.fnc
++++ b/embed.fnc
+@@ -1032,7 +1032,7 @@ EXp	|SV*|reg_qr_package|NN REGEXP * const rx
+ 
+ : FIXME - why the E?
+ Ep	|void	|regprop	|NULLOK const regexp *prog|NN SV* sv|NN const regnode* o
+-Anp	|void	|repeatcpy	|NN char* to|NN const char* from|I32 len|I32 count
++Anp	|void	|repeatcpy	|NN char* to|NN const char* from|I32 len|IV count
+ AnpP	|char*	|rninstr	|NN const char* big|NN const char* bigend \
+ 				|NN const char* little|NN const char* lend
+ Ap	|Sighandler_t|rsignal	|int i|Sighandler_t t
+diff --git a/util.c b/util.c
+index 0ea39c6..3d4dcc7 100644
+--- a/util.c
++++ b/util.c
+@@ -3315,7 +3315,7 @@ Perl_my_pclose(pTHX_ PerlIO *ptr)
+ 
+ #define PERL_REPEATCPY_LINEAR 4
+ void
+-Perl_repeatcpy(register char *to, register const char *from, I32 len, register I32 count)
++Perl_repeatcpy(register char *to, register const char *from, I32 len, register IV count)
+ {
+     PERL_ARGS_ASSERT_REPEATCPY;
+ 
+@@ -3323,19 +3323,19 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I
+ 	memset(to, *from, count);
+     else if (count) {
+ 	register char *p = to;
+-	I32 items, linear, half;
++	IV items, linear, half;
+ 
+ 	linear = count < PERL_REPEATCPY_LINEAR ? count : PERL_REPEATCPY_LINEAR;
+ 	for (items = 0; items < linear; ++items) {
+ 	    register const char *q = from;
+-	    I32 todo;
++	    IV todo;
+ 	    for (todo = len; todo > 0; todo--)
+ 		*p++ = *q++;
+         }
+ 
+ 	half = count / 2;
+ 	while (items <= half) {
+-	    I32 size = items * len;
++	    IV size = items * len;
+ 	    memcpy(p, to, size);
+ 	    p     += size;
+ 	    items *= 2;
+-- 
+1.7.6.4
+
diff --git a/perl.spec b/perl.spec
index 7564ac9..18f9408 100644
--- a/perl.spec
+++ b/perl.spec
@@ -20,7 +20,7 @@
 Name:           perl
 Version:        %{perl_version}
 # release number must be even higher, becase dual-lived modules will be broken otherwise
-Release:        162%{?dist}
+Release:        163%{?dist}
 Epoch:          %{perl_epoch}
 Summary:        Practical Extraction and Report Language
 Group:          Development/Languages
@@ -86,6 +86,10 @@ Patch11:         perl-5.14.2-digest_eval.patch
 # Fix CVE-2011-2939, rhbz #731246, fixed in perl-5.14.2.
 Patch12:        perl-5.14.1-CVE-2011-2939.patch
 
+# Change Perl_repeatcpy() prototype to allow repeat count above 2^31
+# rhbz #720610, Perl RT#94560, accepted as v5.15.4-24-g26e1303.
+Patch13:        perl-5.14.2-large-repeat-heap-abuse.patch
+
 # Update some of the bundled modules
 # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
 
@@ -963,6 +967,7 @@ tarball from perl.org.
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
 
 #copy the example script
 cp -a %{SOURCE5} .
@@ -1042,6 +1047,9 @@ echo "RPM Build arch: %{_arch}"
 %global perl_vendorlib  %{privlib}/vendor_perl
 %global perl_vendorarch %{archlib}/vendor_perl
 
+# For perl-5.14.2-large-repeat-heap-abuse.patch 
+perl regen.pl -v
+
 /bin/sh Configure -des -Doptimize="$RPM_OPT_FLAGS" \
         -Dccdlflags="-Wl,--enable-new-dtags" \
         -DDEBUGGING=-g \
@@ -1177,6 +1185,7 @@ pushd %{build_archlib}/CORE/
     'Fedora Patch10: Update ExtUtils::ParseXS to 2.2206' \
     'Fedora Patch11: Fix code injection in Digest->new()' \
     'Fedora Patch12: Fix CVE-2011-2939' \
+    'Fedora Patch13: Change Perl_repeatcpy() to allow count above 2^31' \ 
     %{nil}
 
 rm patchlevel.bak
@@ -1978,7 +1987,11 @@ rm -rf $RPM_BUILD_ROOT
 
 # Old changelog entries are preserved in CVS.
 %changelog
-* Wed Oct 05 2011 Petr Pisar <ppisar at redhat.com> - 4:5.12.4-161
+* Fri Nov 04 2011 Petr Pisar <ppisar at redhat.com> - 4:5.12.4-163
+- Change Perl_repeatcpy() prototype to allow repeat count above 2^31
+  (bug #720610)
+
+* Wed Oct 05 2011 Petr Pisar <ppisar at redhat.com> - 4:5.12.4-162
 - Fix CVE-2011-3597 (code injection in Digest) (bug #743010)
 - Fix CVE-2011-2939 (heap overflow while decoding Unicode string) (bug #731246)

More information about the scm-commits mailing list