rpms/perl/FC-3 perl-5.8.5-CVE-2005-3962-bz174683.patch,1.2,1.3
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Dec 14 19:42:21 UTC 2005
Author: jvdias
Update of /cvs/dist/rpms/perl/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv2114
Modified Files:
perl-5.8.5-CVE-2005-3962-bz174683.patch
Log Message:
Further enhancements to sprintf integer overflow patch (CVE-2005-3962 / bz174717 )
(Upstream patches 26282, 26283, 26284, 26322, 26331, 26333)
perl-5.8.5-CVE-2005-3962-bz174683.patch:
ext/Sys/Syslog/Syslog.pm | 98 ++++++++++++++++++++++++++++++-----------------
handy.h | 82 ++++++++++++++++++---------------------
makedef.pl | 6 --
op.c | 1
opcode.h | 2
opcode.pl | 2
perl.h | 9 +++-
sv.c | 31 +++++++++++---
t/lib/warnings/sv | 6 +-
t/op/sprintf.t | 5 ++
t/op/sprintf2.t | 44 ++++++++++++++++++++-
11 files changed, 186 insertions(+), 100 deletions(-)
Index: perl-5.8.5-CVE-2005-3962-bz174683.patch
===================================================================
RCS file: /cvs/dist/rpms/perl/FC-3/perl-5.8.5-CVE-2005-3962-bz174683.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- perl-5.8.5-CVE-2005-3962-bz174683.patch 2 Dec 2005 19:24:28 -0000 1.2
+++ perl-5.8.5-CVE-2005-3962-bz174683.patch 14 Dec 2005 19:42:19 -0000 1.3
@@ -1,18 +1,489 @@
+--- perl-5.8.5/sv.c.CVE-2005-3962-bz174683 2004-07-12 17:44:41.000000000 -0400
++++ perl-5.8.5/sv.c 2005-12-13 17:24:40.000000000 -0500
+@@ -8568,9 +8568,12 @@
+ if (vectorarg) {
+ if (args)
+ vecsv = va_arg(*args, SV*);
+- else
+- vecsv = (evix ? evix <= svmax : svix < svmax) ?
+- svargs[evix ? evix-1 : svix++] : &PL_sv_undef;
++ else if (evix) {
++ vecsv = (evix > 0 && evix <= svmax)
++ ? svargs[evix-1] : &PL_sv_undef;
++ } else {
++ vecsv = svix < svmax ? svargs[svix++] : &PL_sv_undef;
++ }
+ dotstr = SvPVx(vecsv, dotstrlen);
+ if (DO_UTF8(vecsv))
+ is_utf8 = TRUE;
+@@ -8580,12 +8583,13 @@
+ vecstr = (U8*)SvPVx(vecsv,veclen);
+ vec_utf8 = DO_UTF8(vecsv);
+ }
+- else if (efix ? efix <= svmax : svix < svmax) {
++ else if (efix ? (efix > 0 && efix <= svmax) : svix < svmax) {
+ vecsv = svargs[efix ? efix-1 : svix++];
+ vecstr = (U8*)SvPVx(vecsv,veclen);
+ vec_utf8 = DO_UTF8(vecsv);
+ }
+ else {
++ vecsv = &PL_sv_undef;
+ vecstr = (U8*)"";
+ veclen = 0;
+ }
+@@ -8686,9 +8690,15 @@
+
+ if (vectorize)
+ argsv = vecsv;
+- else if (!args)
+- argsv = (efix ? efix <= svmax : svix < svmax) ?
+- svargs[efix ? efix-1 : svix++] : &PL_sv_undef;
++ else if (!args) {
++ if (efix) {
++ const I32 i = efix-1;
++ argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
++ } else {
++ argsv = (svix >= 0 && svix < svmax)
++ ? svargs[svix++] : &PL_sv_undef;
++ }
++ }
+
+ switch (c = *q++) {
+
+@@ -8930,6 +8940,8 @@
+ *--eptr = '0';
+ break;
+ case 2:
++ if (!uv)
++ alt = FALSE;
+ do {
+ dig = uv & 1;
+ *--eptr = '0' + dig;
+@@ -9232,6 +9244,8 @@
+
+ /* calculate width before utf8_upgrade changes it */
+ have = esignlen + zeros + elen;
++ if (have < zeros)
++ Perl_croak_nocontext(PL_memory_wrap);
+
+ if (is_utf8 != has_utf8) {
+ if (is_utf8) {
+@@ -9259,6 +9273,9 @@
+ need = (have > width ? have : width);
+ gap = need - have;
+
++ if (need >= (((STRLEN)~0) - SvCUR(sv) - dotstrlen - 1))
++ Perl_croak_nocontext(PL_memory_wrap);
++
+ SvGROW(sv, SvCUR(sv) + need + dotstrlen + 1);
+ p = SvEND(sv);
+ if (esignlen && fill == '0') {
+--- perl-5.8.5/handy.h.CVE-2005-3962-bz174683 2004-04-21 04:54:04.000000000 -0400
++++ perl-5.8.5/handy.h 2005-12-13 17:17:07.000000000 -0500
+@@ -579,71 +579,65 @@
+
+ =cut */
+
+-#ifndef lint
+-
+ #define NEWSV(x,len) newSV(len)
+
+ #ifdef PERL_MALLOC_WRAP
+ #define MEM_WRAP_CHECK(n,t) \
+- (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
++ (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
+ #define MEM_WRAP_CHECK_1(n,t,a) \
+- (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
++ (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
+ #define MEM_WRAP_CHECK_2(n,t,a,b) \
+- (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
+-
+-#define New(x,v,n,t) (v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
+-#define Newc(x,v,n,t,c) (v = (MEM_WRAP_CHECK(n,t), (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
+-#define Newz(x,v,n,t) (v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \
+- memzero((char*)(v), (n)*sizeof(t))
+-#define Renew(v,n,t) \
+- (v = (MEM_WRAP_CHECK(n,t), (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+-#define Renewc(v,n,t,c) \
+- (v = (MEM_WRAP_CHECK(n,t), (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+-#define Safefree(d) safefree((Malloc_t)(d))
+-
+-#define Move(s,d,n,t) (MEM_WRAP_CHECK(n,t), (void)memmove((char*)(d),(char*)(s), (n) * sizeof(t)))
+-#define Copy(s,d,n,t) (MEM_WRAP_CHECK(n,t), (void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t)))
+-#define Zero(d,n,t) (MEM_WRAP_CHECK(n,t), (void)memzero((char*)(d), (n) * sizeof(t)))
++ (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
++#define MEM_WRAP_CHECK_(n,t) MEM_WRAP_CHECK(n,t),
+
+-#define Poison(d,n,t) (MEM_WRAP_CHECK(n,t), (void)memset((char*)(d), 0xAB, (n) * sizeof(t)))
++#define PERL_STRLEN_ROUNDUP(n) ((void)(((n) > (MEM_SIZE)~0 - 2 * PERL_STRLEN_ROUNDUP_QUANTUM) ? (Perl_croak_nocontext(PL_memory_wrap),0):0),((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
+
+ #else
+
+ #define MEM_WRAP_CHECK(n,t)
+ #define MEM_WRAP_CHECK_1(n,t,a)
+ #define MEM_WRAP_CHECK_2(n,t,a,b)
++#define MEM_WRAP_CHECK_(n,t)
++
++#define PERL_STRLEN_ROUNDUP(n) (((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
++
++#endif
+
+-#define New(x,v,n,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))
+-#define Newc(x,v,n,t,c) (v = (c*)safemalloc((MEM_SIZE)((n)*sizeof(t))))
+-#define Newz(x,v,n,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))), \
++#define Newx(v,n,t) (v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
++#define Newxc(v,n,t,c) (v = (MEM_WRAP_CHECK_(n,t) (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
++#define Newxz(v,n,t) (v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \
+ memzero((char*)(v), (n)*sizeof(t))
++/* pre 5.9.x compatibility */
++#define New(x,v,n,t) Newx(v,n,t)
++#define Newc(x,v,n,t,c) Newxc(v,n,t,c)
++#define Newz(x,v,n,t) Newxz(v,n,t)
++
+ #define Renew(v,n,t) \
+- (v = (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))
++ (v = (MEM_WRAP_CHECK_(n,t) (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+ #define Renewc(v,n,t,c) \
+- (v = (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))
+-#define Safefree(d) safefree((Malloc_t)(d))
+-
+-#define Move(s,d,n,t) (void)memmove((char*)(d),(char*)(s), (n) * sizeof(t))
+-#define Copy(s,d,n,t) (void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t))
+-#define Zero(d,n,t) (void)memzero((char*)(d), (n) * sizeof(t))
+-
+-#define Poison(d,n,t) (void)memset((char*)(d), 0xAB, (n) * sizeof(t))
++ (v = (MEM_WRAP_CHECK_(n,t) (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+
++#ifdef PERL_POISON
++#define Safefree(d) \
++ (d ? (void)(safefree((Malloc_t)(d)), Poison(&(d), 1, Malloc_t)) : (void) 0)
++#else
++#define Safefree(d) safefree((Malloc_t)(d))
+ #endif
+
+-#else /* lint */
+-
+-#define New(x,v,n,s) (v = Null(s *))
+-#define Newc(x,v,n,s,c) (v = Null(s *))
+-#define Newz(x,v,n,s) (v = Null(s *))
+-#define Renew(v,n,s) (v = Null(s *))
+-#define Move(s,d,n,t)
+-#define Copy(s,d,n,t)
+-#define Zero(d,n,t)
+-#define Poison(d,n,t)
+-#define Safefree(d) (d) = (d)
++#define Move(s,d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memmove((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#define Copy(s,d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memcpy((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#define Zero(d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memzero((char*)(d), (n) * sizeof(t)))
++
++#define MoveD(s,d,n,t) (MEM_WRAP_CHECK_(n,t) memmove((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#define CopyD(s,d,n,t) (MEM_WRAP_CHECK_(n,t) memcpy((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#ifdef HAS_MEMSET
++#define ZeroD(d,n,t) (MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)))
++#else
++/* Using bzero(), which returns void. */
++#define ZeroD(d,n,t) (MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)),d)
++#endif
+
+-#endif /* lint */
++#define Poison(d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memset((char*)(d), 0xAB, (n) * sizeof(t)))
+
+ #ifdef USE_STRUCT_COPY
+ #define StructCopy(s,d,t) (*((t*)(d)) = *((t*)(s)))
+--- perl-5.8.5/opcode.h.CVE-2005-3962-bz174683 2004-06-27 11:28:38.000000000 -0400
++++ perl-5.8.5/opcode.h 2005-12-13 17:17:07.000000000 -0500
+@@ -1585,7 +1585,7 @@
+ 0x0022281c, /* vec */
+ 0x0122291c, /* index */
+ 0x0122291c, /* rindex */
+- 0x0004280f, /* sprintf */
++ 0x0004280d, /* sprintf */
+ 0x00042805, /* formline */
+ 0x0001379e, /* ord */
+ 0x0001378e, /* chr */
+--- perl-5.8.5/opcode.pl.CVE-2005-3962-bz174683 2004-03-22 14:53:56.000000000 -0500
++++ perl-5.8.5/opcode.pl 2005-12-13 17:17:07.000000000 -0500
+@@ -602,7 +602,7 @@
+ index index ck_index isT@ S S S?
+ rindex rindex ck_index isT@ S S S?
+
+-sprintf sprintf ck_fun mfst@ S L
++sprintf sprintf ck_fun mst@ S L
+ formline formline ck_fun ms@ S L
+ ord ord ck_fun ifsTu% S?
+ chr chr ck_fun fsTu% S?
+--- perl-5.8.5/ext/Sys/Syslog/Syslog.pm.CVE-2005-3962-bz174683 2004-03-06 16:25:20.000000000 -0500
++++ perl-5.8.5/ext/Sys/Syslog/Syslog.pm 2005-12-13 17:17:07.000000000 -0500
+@@ -1,17 +1,16 @@
+ package Sys::Syslog;
+-require 5.000;
++require 5.006;
+ require Exporter;
+-require DynaLoader;
+ use Carp;
++use strict;
+
+- at ISA = qw(Exporter DynaLoader);
+- at EXPORT = qw(openlog closelog setlogmask syslog);
+- at EXPORT_OK = qw(setlogsock);
+-$VERSION = '0.05';
++our @ISA = qw(Exporter);
++our @EXPORT = qw(openlog closelog setlogmask syslog);
++our @EXPORT_OK = qw(setlogsock);
++our $VERSION = '0.08';
+
+ # it would be nice to try stream/unix first, since that will be
+ # most efficient. However streams are dodgy - see _syslog_send_stream
+-#my @connectMethods = ( 'stream', 'unix', 'tcp', 'udp' );
+ my @connectMethods = ( 'tcp', 'udp', 'unix', 'stream', 'console' );
+ if ($^O =~ /^(freebsd|linux)$/) {
+ @connectMethods = grep { $_ ne 'udp' } @connectMethods;
+@@ -22,8 +21,9 @@
+ my $current_proto = undef;
+ my $failed = undef;
+ my $fail_time = undef;
++our ($connected, @fallbackMethods, $syslog_send, $host);
+
+-use Socket;
++use Socket ':all';
+ use Sys::Hostname;
+
+ =head1 NAME
+@@ -53,26 +53,38 @@
+
+ =item openlog $ident, $logopt, $facility
+
++Opens the syslog.
+ I<$ident> is prepended to every message. I<$logopt> contains zero or
+ more of the words I<pid>, I<ndelay>, I<nowait>. The cons option is
+ ignored, since the failover mechanism will drop down to the console
+ automatically if all other media fail. I<$facility> specifies the
+ part of the system to report about, for example LOG_USER or LOG_LOCAL0:
+ see your C<syslog(3)> documentation for the facilities available in
+-your system.
++your system. This function will croak if it can't connect to the syslog
++daemon.
+
+ B<You should use openlog() before calling syslog().>
+
++=item syslog $priority, $message
++
+ =item syslog $priority, $format, @args
+
+-If I<$priority> permits, logs I<($format, @args)>
+-printed as by C<printf(3V)>, with the addition that I<%m>
+-is replaced with C<"$!"> (the latest error message).
++If I<$priority> permits, logs I<$message> or I<sprintf($format, @args)>
++with the addition that I<%m> in $message or $format is replaced with
++C<"$!"> (the latest error message).
+
+ If you didn't use openlog() before using syslog(), syslog will try to
+ guess the I<$ident> by extracting the shortest prefix of I<$format>
+ that ends in a ":".
+
++Note that Sys::Syslog version v0.07 and older passed the $message as
++the formatting string to sprintf() even when no formatting arguments
++were provided. If the code calling syslog() might execute with older
++versions of this module, make sure to call the function as
++syslog($priority, "%s", $message) instead of syslog($priority,
++$message). This protects against hostile formatting sequences that
++might show up if $message contains tainted data.
++
+ =item setlogmask $mask_priority
+
+ Sets log mask I<$mask_priority> and returns the old mask.
+@@ -114,7 +126,7 @@
+ =head1 EXAMPLES
+
+ openlog($program, 'cons,pid', 'user');
+- syslog('info', 'this is another test');
++ syslog('info', '%s', 'this is another test');
+ syslog('mail|warning', 'this is a better test: %d', time);
+ closelog();
+
+@@ -128,6 +140,12 @@
+ $! = 55;
+ syslog('info', 'problem was %m'); # %m == $! in syslog(3)
+
++ # Log to UDP port on $remotehost instead of logging locally
++ setlogsock('udp');
++ $Sys::Syslog::host = $remotehost;
++ openlog($program, 'ndelay', 'user');
++ syslog('info', 'something happened over here');
++
+ =head1 SEE ALSO
+
+ L<syslog(3)>
+@@ -163,36 +181,38 @@
+ if ($error) {
+ croak $error;
+ }
++ no strict 'refs';
+ *$AUTOLOAD = sub { $val };
+ goto &$AUTOLOAD;
+ }
+
+-bootstrap Sys::Syslog $VERSION;
++require XSLoader;
++XSLoader::load('Sys::Syslog', $VERSION);
+
+-$maskpri = &LOG_UPTO(&LOG_DEBUG);
++our $maskpri = &LOG_UPTO(&LOG_DEBUG);
+
+ sub openlog {
+- ($ident, $logopt, $facility) = @_; # package vars
+- $lo_pid = $logopt =~ /\bpid\b/;
+- $lo_ndelay = $logopt =~ /\bndelay\b/;
+- $lo_nowait = $logopt =~ /\bnowait\b/;
++ our ($ident, $logopt, $facility) = @_; # package vars
++ our $lo_pid = $logopt =~ /\bpid\b/;
++ our $lo_ndelay = $logopt =~ /\bndelay\b/;
++ our $lo_nowait = $logopt =~ /\bnowait\b/;
+ return 1 unless $lo_ndelay;
+ &connect;
+ }
+
+ sub closelog {
+- $facility = $ident = '';
++ our $facility = our $ident = '';
+ &disconnect;
+ }
+
+ sub setlogmask {
+- local($oldmask) = $maskpri;
++ my $oldmask = $maskpri;
+ $maskpri = shift;
+ $oldmask;
+ }
+
+ sub setlogsock {
+- local($setsock) = shift;
++ my $setsock = shift;
+ $syslog_path = shift;
+ &disconnect if $connected;
+ $transmit_ok = 0;
+@@ -254,10 +274,11 @@
+ }
+
+ sub syslog {
+- local($priority) = shift;
+- local($mask) = shift;
+- local($message, $whoami);
+- local(@words, $num, $numpri, $numfac, $sum);
++ my $priority = shift;
++ my $mask = shift;
++ my ($message, $whoami);
++ my (@words, $num, $numpri, $numfac, $sum);
++ our $facility;
+ local($facility) = $facility; # may need to change temporarily.
+
+ croak "syslog: expecting argument \$priority" unless $priority;
+@@ -292,7 +313,7 @@
+
+ &connect unless $connected;
+
+- $whoami = $ident;
++ $whoami = our $ident;
+
+ if (!$whoami && $mask =~ /^(\S.*?):\s?(.*)/) {
+ $whoami = $1;
+@@ -305,11 +326,18 @@
+ ($whoami = 'syslog');
+ }
+
+- $whoami .= "[$$]" if $lo_pid;
++ $whoami .= "[$$]" if our $lo_pid;
++
++ if ($mask =~ /%m/) {
++ my $err = $!;
++ # escape percent signs if sprintf will be called
++ $err =~ s/%/%%/g if @_;
++ # replace %m with $err, if preceded by an even number of percent signs
++ $mask =~ s/(?<!%)((?:%%)*)%m/$1$err/g;
++ }
+
+- $mask =~ s/%m/$!/g;
+ $mask .= "\n" unless $mask =~ /\n$/;
+- $message = sprintf ($mask, @_);
++ $message = @_ ? sprintf($mask, @_) : $mask;
+
+ $sum = $numpri + $numfac;
+ my $buf = "<$sum>$whoami: $message\0";
+@@ -357,6 +385,7 @@
+ # so we do it in a child process and always return success
+ # to the caller.
+ if (my $pid = fork) {
++ our $lo_nowait;
+ if ($lo_nowait) {
+ return 1;
+ } else {
+@@ -393,13 +422,13 @@
+ }
+
+ sub xlate {
+- local($name) = @_;
++ my($name) = @_;
+ return $name+0 if $name =~ /^\s*\d+\s*$/;
+ $name = uc $name;
+ $name = "LOG_$name" unless $name =~ /^LOG_/;
+ $name = "Sys::Syslog::$name";
+ # Can't have just eval { &$name } || -1 because some LOG_XXX may be zero.
+- my $value = eval { &$name };
++ my $value = eval { no strict 'refs'; &$name };
+ defined $value ? $value : -1;
+ }
+
+@@ -413,15 +442,16 @@
+ my @errs = ();
+ my $proto = undef;
+ while ($proto = shift(@fallbackMethods)) {
++ no strict 'refs';
+ my $fn = "connect_$proto";
+- $connected = &$fn(\@errs) unless (!defined &$fn);
++ $connected = &$fn(\@errs) if defined &$fn;
+ last if ($connected);
+ }
+
+ $transmit_ok = 0;
+ if ($connected) {
+ $current_proto = $proto;
+- local($old) = select(SYSLOG); $| = 1; select($old);
++ my($old) = select(SYSLOG); $| = 1; select($old);
+ } else {
+ @fallbackMethods = ();
+ foreach my $err (@errs) {
--- perl-5.8.5/t/op/sprintf2.t.CVE-2005-3962-bz174683 2004-02-09 16:37:13.000000000 -0500
-+++ perl-5.8.5/t/op/sprintf2.t 2005-12-02 13:23:40.000000000 -0500
++++ perl-5.8.5/t/op/sprintf2.t 2005-12-13 17:26:51.000000000 -0500
@@ -6,7 +6,7 @@
require './test.pl';
}
-plan tests => 3;
-+plan tests => 6;
++plan tests => 7 + 256;
is(
sprintf("%.40g ",0.01),
-@@ -26,3 +26,20 @@
+@@ -18,6 +18,7 @@
+ sprintf("%.40f", 0.01)." ",
+ q(the sprintf "%.<number>f" optimization)
+ );
++
+ {
+ chop(my $utf8_format = "%-3s\x{100}");
+ is(
+@@ -26,3 +27,44 @@
q(width calculation under utf8 upgrade)
);
}
++
++# Used to mangle PL_sv_undef
++fresh_perl_is(
++ 'print sprintf "xxx%n\n"; print undef',
++ 'Modification of a read-only value attempted at - line 1.',
++ { switches => [ '-w' ] },
++ q(%n should not be able to modify read-only constants),
++);
++
+# check %NNN$ for range bounds, especially negative 2's complement
+{
+ my ($warn, $bad) = (0,0);
@@ -30,24 +501,99 @@
+ is($warn, 36, "expected warnings");
+ is($bad, 0, "unexpected warnings");
+}
---- perl-5.8.5/sv.c.CVE-2005-3962-bz174683 2004-07-12 17:44:41.000000000 -0400
-+++ perl-5.8.5/sv.c 2005-12-02 13:27:55.000000000 -0500
-@@ -8686,9 +8686,15 @@
++
++{
++ foreach my $ord (0 .. 255) {
++ my $bad = 0;
++ local $SIG{__WARN__} = sub {
++ unless ($_[0] =~ /^Invalid conversion in sprintf/ ||
++ $_[0] =~ /^Use of uninitialized value in sprintf/) {
++ warn $_[0];
++ $bad++;
++ }
++ };
++ my $r = eval {sprintf '%v' . chr $ord};
++ is ($bad, 0, "pattern '%v' . chr $ord");
++ }
++}
+--- perl-5.8.5/t/op/sprintf.t.CVE-2005-3962-bz174683 2003-09-01 03:41:07.000000000 -0400
++++ perl-5.8.5/t/op/sprintf.t 2005-12-13 17:25:21.000000000 -0500
+@@ -385,3 +385,8 @@
+ >%4$K %d< >[45, 67]< >%4$K 45 INVALID<
+ >%d %K %d< >[23, 45]< >23 %K 45 INVALID<
+ >%*v*999\$d %d %d< >[11, 22, 33]< >%*v*999\$d 11 22 INVALID<
++>%#b< >0< >0<
++>%#o< >0< >0<
++>%#x< >0< >0<
++>%2918905856$v2d< >''< ><
++>%*2918905856$v2d< >''< > UNINIT<
+--- perl-5.8.5/t/lib/warnings/sv.CVE-2005-3962-bz174683 2004-03-18 07:51:14.000000000 -0500
++++ perl-5.8.5/t/lib/warnings/sv 2005-12-13 17:17:07.000000000 -0500
+@@ -301,12 +301,12 @@
+ printf F "%\x02" ;
+ $a = sprintf "%\x02" ;
+ EXPECT
+-Invalid conversion in sprintf: "%z" at - line 5.
+-Invalid conversion in sprintf: end of string at - line 7.
+-Invalid conversion in sprintf: "%\002" at - line 9.
+ Invalid conversion in printf: "%z" at - line 4.
++Invalid conversion in sprintf: "%z" at - line 5.
+ Invalid conversion in printf: end of string at - line 6.
++Invalid conversion in sprintf: end of string at - line 7.
+ Invalid conversion in printf: "%\002" at - line 8.
++Invalid conversion in sprintf: "%\002" at - line 9.
+ ########
+ # sv.c
+ use warnings 'misc' ;
+--- perl-5.8.5/op.c.CVE-2005-3962-bz174683 2004-07-04 16:08:20.000000000 -0400
++++ perl-5.8.5/op.c 2005-12-13 17:17:07.000000000 -0500
+@@ -2008,7 +2008,6 @@
+ /* XXX might want a ck_negate() for this */
+ cUNOPo->op_first->op_private &= ~OPpCONST_STRICT;
+ break;
+- case OP_SPRINTF:
+ case OP_UCFIRST:
+ case OP_LCFIRST:
+ case OP_UC:
+--- perl-5.8.5/makedef.pl.CVE-2005-3962-bz174683 2004-05-30 09:23:46.000000000 -0400
++++ perl-5.8.5/makedef.pl 2005-12-13 17:17:07.000000000 -0500
+@@ -627,12 +627,6 @@
+ )];
+ }
- if (vectorize)
- argsv = vecsv;
-- else if (!args)
-- argsv = (efix ? efix <= svmax : svix < svmax) ?
-- svargs[efix ? efix-1 : svix++] : &PL_sv_undef;
-+ else if (!args) {
-+ if (efix) {
-+ const I32 i = efix-1;
-+ argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
-+ } else {
-+ argsv = (svix >= 0 && svix < svmax)
-+ ? svargs[svix++] : &PL_sv_undef;
-+ }
-+ }
+-if ($define{'PERL_MALLOC_WRAP'}) {
+- emit_symbols [qw(
+- PL_memory_wrap
+- )];
+-}
+-
+ unless ($define{'USE_5005THREADS'} || $define{'USE_ITHREADS'}) {
+ skip_symbols [qw(
+ PL_thr_key
+--- perl-5.8.5/perl.h.CVE-2005-3962-bz174683 2005-12-13 17:17:07.000000000 -0500
++++ perl-5.8.5/perl.h 2005-12-13 17:17:07.000000000 -0500
+@@ -477,6 +477,13 @@
- switch (c = *q++) {
+ #define MEM_SIZE Size_t
+
++/* Round all values passed to malloc up, by default to a multiple of
++ sizeof(size_t)
++*/
++#ifndef PERL_STRLEN_ROUNDUP_QUANTUM
++#define PERL_STRLEN_ROUNDUP_QUANTUM Size_t_size
++#endif
++
+ #if defined(STANDARD_C) && defined(I_STDDEF)
+ # include <stddef.h>
+ # define STRUCT_OFFSET(s,m) offsetof(s,m)
+@@ -3074,10 +3081,8 @@
+ INIT("\"my\" variable %s can't be in a package");
+ EXTCONST char PL_no_localize_ref[]
+ INIT("Can't localize through a reference");
+-#ifdef PERL_MALLOC_WRAP
+ EXTCONST char PL_memory_wrap[]
+ INIT("panic: memory wrap");
+-#endif
+ EXTCONST char PL_uuemap[65]
+ INIT("`!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_");
More information about the fedora-cvs-commits
mailing list