summaryrefslogtreecommitdiffstats
path: root/poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch')
-rw-r--r--poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch130
1 files changed, 0 insertions, 130 deletions
diff --git a/poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch b/poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
deleted file mode 100644
index 34771624f..000000000
--- a/poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From 0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff Mon Sep 17 00:00:00 2001
-From: Karl Williamson <khw@cpan.org>
-Date: Tue, 6 Feb 2018 14:50:48 -0700
-Subject: [PATCH] [perl #132063]: Heap buffer overflow
-
-The proximal cause is several instances in regexec.c of the code
-assuming that the input was valid UTF-8, whereas the input was too short
-for what the start byte claimed it would be.
-
-I grepped through the core for any other similar uses, and did not find
-any.
-
-(cherry picked from commit fe7d8ba0a1bf567af8fa8fea128e2b9f4c553e84)
-
-CVE: CVE-2018-6798
-Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/patch/0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff]
-
-Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
----
- regexec.c | 29 ++++++++++++++++-------------
- t/lib/warnings/regexec | 7 +++++++
- 2 files changed, 23 insertions(+), 13 deletions(-)
-
-diff --git a/regexec.c b/regexec.c
-index 5735b997fd..ea432c39d3 100644
---- a/regexec.c
-+++ b/regexec.c
-@@ -1466,7 +1466,9 @@ Perl_re_intuit_start(pTHX_
- ? trie_utf8_fold \
- : trie_latin_utf8_fold)))
-
--#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \
-+/* 'uscan' is set to foldbuf, and incremented, so below the end of uscan is
-+ * 'foldbuf+sizeof(foldbuf)' */
-+#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uc_end, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \
- STMT_START { \
- STRLEN skiplen; \
- U8 flags = FOLD_FLAGS_FULL; \
-@@ -1474,7 +1476,7 @@ STMT_START {
- case trie_flu8: \
- _CHECK_AND_WARN_PROBLEMATIC_LOCALE; \
- if (utf8_target && UTF8_IS_ABOVE_LATIN1(*uc)) { \
-- _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc + UTF8SKIP(uc)); \
-+ _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc_end - uc); \
- } \
- goto do_trie_utf8_fold; \
- case trie_utf8_exactfa_fold: \
-@@ -1483,7 +1485,7 @@ STMT_START {
- case trie_utf8_fold: \
- do_trie_utf8_fold: \
- if ( foldlen>0 ) { \
-- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \
-+ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \
- foldlen -= len; \
- uscan += len; \
- len=0; \
-@@ -1500,7 +1502,7 @@ STMT_START {
- /* FALLTHROUGH */ \
- case trie_latin_utf8_fold: \
- if ( foldlen>0 ) { \
-- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \
-+ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \
- foldlen -= len; \
- uscan += len; \
- len=0; \
-@@ -1519,7 +1521,7 @@ STMT_START {
- } \
- /* FALLTHROUGH */ \
- case trie_utf8: \
-- uvc = utf8n_to_uvchr( (const U8*) uc, UTF8_MAXLEN, &len, uniflags ); \
-+ uvc = utf8n_to_uvchr( (const U8*) uc, uc_end - uc, &len, uniflags ); \
- break; \
- case trie_plain: \
- uvc = (UV)*uc; \
-@@ -2599,10 +2601,10 @@ S_find_byclass(pTHX_ regexp * prog, const regnode *c, char *s,
- }
- points[pointpos++ % maxlen]= uc;
- if (foldlen || uc < (U8*)strend) {
-- REXEC_TRIE_READ_CHAR(trie_type, trie,
-- widecharmap, uc,
-- uscan, len, uvc, charid, foldlen,
-- foldbuf, uniflags);
-+ REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc,
-+ (U8 *) strend, uscan, len, uvc,
-+ charid, foldlen, foldbuf,
-+ uniflags);
- DEBUG_TRIE_EXECUTE_r({
- dump_exec_pos( (char *)uc, c, strend,
- real_start, s, utf8_target, 0);
-@@ -5511,8 +5513,9 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
- if ( base && (foldlen || uc < (U8*)(reginfo->strend))) {
- I32 offset;
- REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc,
-- uscan, len, uvc, charid, foldlen,
-- foldbuf, uniflags);
-+ (U8 *) reginfo->strend, uscan,
-+ len, uvc, charid, foldlen,
-+ foldbuf, uniflags);
- charcount++;
- if (foldlen>0)
- ST.longfold = TRUE;
-@@ -5642,8 +5645,8 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
- while (foldlen) {
- if (!--chars)
- break;
-- uvc = utf8n_to_uvchr(uscan, UTF8_MAXLEN, &len,
-- uniflags);
-+ uvc = utf8n_to_uvchr(uscan, foldlen, &len,
-+ uniflags);
- uscan += len;
- foldlen -= len;
- }
-diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec
-index 900dd6ee7f..6635142dea 100644
---- a/t/lib/warnings/regexec
-+++ b/t/lib/warnings/regexec
-@@ -260,3 +260,10 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale);
- "k" =~ /(?[ \N{KELVIN SIGN} ])/i;
- ":" =~ /(?[ \: ])/;
- EXPECT
-+########
-+# NAME perl #132063, read beyond buffer end
-+# OPTION fatal
-+"\xff" =~ /(?il)\x{100}|\x{100}/;
-+EXPECT
-+Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2.
-+Malformed UTF-8 character (fatal) at - line 2.
---
-2.15.1-424-g9478a660812
-
OpenPOWER on IntegriCloud