[packages/perl.git] / perl-5.8.7-CVE-2005-3962-bz174684.patch

--- perl-5.8.7/t/lib/warnings/sv.CVE-2005-3962-bz174684	2004-03-18 07:51:14.000000000 -0500
+++ perl-5.8.7/t/lib/warnings/sv	2005-12-14 12:40:55.000000000 -0500
@@ -301,12 +301,12 @@
 printf F "%\x02" ;
 $a = sprintf "%\x02" ;
 EXPECT
-Invalid conversion in sprintf: "%z" at - line 5.
-Invalid conversion in sprintf: end of string at - line 7.
-Invalid conversion in sprintf: "%\002" at - line 9.
 Invalid conversion in printf: "%z" at - line 4.
+Invalid conversion in sprintf: "%z" at - line 5.
 Invalid conversion in printf: end of string at - line 6.
+Invalid conversion in sprintf: end of string at - line 7.
 Invalid conversion in printf: "%\002" at - line 8.
+Invalid conversion in sprintf: "%\002" at - line 9.
 ########
 # sv.c
 use warnings 'misc' ;
--- perl-5.8.7/t/op/sprintf.t.CVE-2005-3962-bz174684	2003-09-01 03:41:07.000000000 -0400
+++ perl-5.8.7/t/op/sprintf.t	2005-12-14 12:53:09.000000000 -0500
@@ -385,3 +385,8 @@
 >%4$K %d<	>[45, 67]<	>%4$K 45 INVALID<
 >%d %K %d<	>[23, 45]<	>23 %K 45 INVALID<
 >%*v*999\$d %d %d<	>[11, 22, 33]<	>%*v*999\$d 11 22 INVALID<
+>%#b<		>0<	>0<
+>%#o<		>0<	>0<
+>%#x<		>0<	>0<
+>%2918905856$v2d<	>''<	><
+>%*2918905856$v2d<	>''<	> UNINIT<
--- perl-5.8.7/t/op/sprintf2.t.CVE-2005-3962-bz174684	2004-02-09 16:37:13.000000000 -0500
+++ perl-5.8.7/t/op/sprintf2.t	2005-12-14 12:50:39.000000000 -0500
@@ -6,7 +6,7 @@
     require './test.pl';
 }   
 
-plan tests => 3;
+plan tests => 7 + 256;
 
 is(
     sprintf("%.40g ",0.01),
@@ -26,3 +26,43 @@
 		q(width calculation under utf8 upgrade)
 	);
 }
+
+# Used to mangle PL_sv_undef
+fresh_perl_is(
+    'print sprintf "xxx%n\n"; print undef',
+    'Modification of a read-only value attempted at - line 1.',
+    { switches => [ '-w' ] },
+    q(%n should not be able to modify read-only constants),
+);
+
+# check %NNN$ for range bounds, especially negative 2's complement
+{
+    my ($warn, $bad) = (0,0);
+    local $SIG{__WARN__} = sub {
+       if ($_[0] =~ /uninitialized/) {
+           $warn++
+       }
+       else {
+           $bad++
+       }
+    };
+    my $result = sprintf join('', map("%$_\$s%" . ~$_ . '$s', 1..20)),
+       qw(a b c d);
+    is($result, "abcd", "only four valid values");
+    is($warn, 36, "expected warnings");
+    is($bad,   0, "unexpected warnings");
+}
+{
+    foreach my $ord (0 .. 255) {
+	my $bad = 0;
+	local $SIG{__WARN__} = sub {
+	    unless ($_[0] =~ /^Invalid conversion in sprintf/ ||
+		    $_[0] =~ /^Use of uninitialized value in sprintf/) {
+		warn $_[0];
+		$bad++;
+	    }
+	};
+	my $r = eval {sprintf '%v' . chr $ord};
+	is ($bad, 0, "pattern '%v' . chr $ord");
+    }
+}
--- perl-5.8.7/opcode.h.CVE-2005-3962-bz174684	2005-05-27 12:29:50.000000000 -0400
+++ perl-5.8.7/opcode.h	2005-12-14 12:40:55.000000000 -0500
@@ -1585,7 +1585,7 @@
 	0x0022281c,	/* vec */
 	0x0122291c,	/* index */
 	0x0122291c,	/* rindex */
-	0x0004280f,	/* sprintf */
+	0x0004280d,	/* sprintf - WAS 0x0004280f before patch #26283 */
 	0x00042805,	/* formline */
 	0x0001379e,	/* ord */
 	0x0001378e,	/* chr */
--- perl-5.8.7/op.c.CVE-2005-3962-bz174684	2005-04-22 10:12:32.000000000 -0400
+++ perl-5.8.7/op.c	2005-12-14 12:40:55.000000000 -0500
@@ -2076,7 +2076,9 @@
 	/* XXX might want a ck_negate() for this */
 	cUNOPo->op_first->op_private &= ~OPpCONST_STRICT;
 	break;
-    case OP_SPRINTF:
+/* Removed as part of fix for CVE-2005-3962 / Upstream patch 26283 : 
+ *   case OP_SPRINTF:
+ */
     case OP_UCFIRST:
     case OP_LCFIRST:
     case OP_UC:
--- perl-5.8.7/makedef.pl.CVE-2005-3962-bz174684	2005-05-09 09:27:41.000000000 -0400
+++ perl-5.8.7/makedef.pl	2005-12-14 12:40:55.000000000 -0500
@@ -635,11 +635,13 @@
 		    )];
 }
 
-if ($define{'PERL_MALLOC_WRAP'}) {
-    emit_symbols [qw(
-		    PL_memory_wrap
-		    )];
-}
+# Removed as part of fix for CVE-2005-3962 / CVE-2005-3962 /
+# Upstream patch #26283
+# if ($define{'PERL_MALLOC_WRAP'}) {
+#    emit_symbols [qw(
+#		    PL_memory_wrap
+#		    )];
+#}
 
 unless ($define{'USE_5005THREADS'} || $define{'USE_ITHREADS'}) {
     skip_symbols [qw(
--- perl-5.8.7/ext/Sys/Syslog/Syslog.pm.CVE-2005-3962-bz174684	2005-04-22 07:53:56.000000000 -0400
+++ perl-5.8.7/ext/Sys/Syslog/Syslog.pm	2005-12-14 12:40:55.000000000 -0500
@@ -1,14 +1,13 @@
 package Sys::Syslog;
 require 5.006;
 require Exporter;
-require DynaLoader;
 use Carp;
 use strict;
 
-our @ISA = qw(Exporter DynaLoader);
+our @ISA = qw(Exporter);
 our @EXPORT = qw(openlog closelog setlogmask syslog);
 our @EXPORT_OK = qw(setlogsock);
-our $VERSION = '0.06';
+our $VERSION = '0.08';
 
 # it would be nice to try stream/unix first, since that will be
 # most efficient. However streams are dodgy - see _syslog_send_stream
@@ -54,26 +53,38 @@
 
 =item openlog $ident, $logopt, $facility
 
+Opens the syslog.
 I<$ident> is prepended to every message.  I<$logopt> contains zero or
 more of the words I<pid>, I<ndelay>, I<nowait>.  The cons option is
 ignored, since the failover mechanism will drop down to the console
 automatically if all other media fail.  I<$facility> specifies the
 part of the system to report about, for example LOG_USER or LOG_LOCAL0:
 see your C<syslog(3)> documentation for the facilities available in
-your system.
+your system. This function will croak if it can't connect to the syslog
+daemon.
 
 B<You should use openlog() before calling syslog().>
 
+=item syslog $priority, $message
+
 =item syslog $priority, $format, @args
 
-If I<$priority> permits, logs I<($format, @args)>
-printed as by C<printf(3V)>, with the addition that I<%m>
-is replaced with C<"$!"> (the latest error message).
+If I<$priority> permits, logs I<$message> or I<sprintf($format, @args)>
+with the addition that I<%m> in $message or $format is replaced with
+C<"$!"> (the latest error message).
 
 If you didn't use openlog() before using syslog(), syslog will try to
 guess the I<$ident> by extracting the shortest prefix of I<$format>
 that ends in a ":".
 
+Note that Sys::Syslog version v0.07 and older passed the $message as
+the formatting string to sprintf() even when no formatting arguments
+were provided.  If the code calling syslog() might execute with older
+versions of this module, make sure to call the function as
+syslog($priority, "%s", $message) instead of syslog($priority,
+$message).  This protects against hostile formatting sequences that
+might show up if $message contains tainted data.
+
 =item setlogmask $mask_priority
 
 Sets log mask I<$mask_priority> and returns the old mask.
@@ -175,7 +186,8 @@
     goto &$AUTOLOAD;
 }
 
-bootstrap Sys::Syslog $VERSION;
+require XSLoader;
+XSLoader::load('Sys::Syslog', $VERSION);
 
 our $maskpri = &LOG_UPTO(&LOG_DEBUG);
 
@@ -316,9 +328,16 @@
 
     $whoami .= "[$$]" if our $lo_pid;
 
-    $mask =~ s/(?<!%)%m/$!/g;
+    if ($mask =~ /%m/) {
+	my $err = $!;
+	# escape percent signs if sprintf will be called
+	$err =~ s/%/%%/g if @_;
+	# replace %m with $err, if preceded by an even number of percent signs
+	$mask =~ s/(?<!%)((?:%%)*)%m/$1$err/g;
+    }
+
     $mask .= "\n" unless $mask =~ /\n$/;
-    $message = sprintf ($mask, @_);
+    $message = @_ ? sprintf($mask, @_) : $mask;
 
     $sum = $numpri + $numfac;
     my $buf = "<$sum>$whoami: $message\0";
--- perl-5.8.7/opcode.pl.CVE-2005-3962-bz174684	2004-12-01 08:54:30.000000000 -0500
+++ perl-5.8.7/opcode.pl	2005-12-14 12:40:55.000000000 -0500
@@ -606,7 +606,7 @@
 index		index			ck_index	isT@	S S S?
 rindex		rindex			ck_index	isT@	S S S?
 
-sprintf		sprintf			ck_fun		mfst@	S L
+sprintf		sprintf			ck_fun		mst@	S L
 formline	formline		ck_fun		ms@	S L
 ord		ord			ck_fun		ifsTu%	S?
 chr		chr			ck_fun		fsTu%	S?
--- perl-5.8.7/handy.h.CVE-2005-3962-bz174684	2005-04-20 12:33:28.000000000 -0400
+++ perl-5.8.7/handy.h	2005-12-14 12:40:55.000000000 -0500
@@ -598,91 +598,65 @@
 
 =cut */
 
-#ifndef lint
-
 #define NEWSV(x,len)	newSV(len)
 
 #ifdef PERL_MALLOC_WRAP
 #define MEM_WRAP_CHECK(n,t) \
-	(void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
+	(void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
 #define MEM_WRAP_CHECK_1(n,t,a) \
-	(void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
+	(void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
 #define MEM_WRAP_CHECK_2(n,t,a,b) \
-	(void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
+	(void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
+#define MEM_WRAP_CHECK_(n,t) MEM_WRAP_CHECK(n,t),
 
-#define New(x,v,n,t)	(v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
-#define Newc(x,v,n,t,c)	(v = (MEM_WRAP_CHECK(n,t), (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
-#define Newz(x,v,n,t)	(v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \
-			memzero((char*)(v), (n)*sizeof(t))
-#define Renew(v,n,t) \
-	  (v = (MEM_WRAP_CHECK(n,t), (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
-#define Renewc(v,n,t,c) \
-	  (v = (MEM_WRAP_CHECK(n,t), (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
-#define Safefree(d)	safefree((Malloc_t)(d))
-
-#define Move(s,d,n,t)	(MEM_WRAP_CHECK(n,t), (void)memmove((char*)(d),(char*)(s), (n) * sizeof(t)))
-#define Copy(s,d,n,t)	(MEM_WRAP_CHECK(n,t), (void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t)))
-#define Zero(d,n,t)	(MEM_WRAP_CHECK(n,t), (void)memzero((char*)(d), (n) * sizeof(t)))
-
-#define MoveD(s,d,n,t)	(MEM_WRAP_CHECK(n,t), memmove((char*)(d),(char*)(s), (n) * sizeof(t)))
-#define CopyD(s,d,n,t)	(MEM_WRAP_CHECK(n,t), memcpy((char*)(d),(char*)(s), (n) * sizeof(t)))
-#ifdef HAS_MEMSET
-#define ZeroD(d,n,t)	(MEM_WRAP_CHECK(n,t), memzero((char*)(d), (n) * sizeof(t)))
-#else
-/* Using bzero(), which returns void.  */
-#define ZeroD(d,n,t)	(MEM_WRAP_CHECK(n,t), memzero((char*)(d), (n) * sizeof(t)),d)
-#endif
-
-#define Poison(d,n,t)	(MEM_WRAP_CHECK(n,t), (void)memset((char*)(d), 0xAB, (n) * sizeof(t)))
+#define PERL_STRLEN_ROUNDUP(n) ((void)(((n) > (MEM_SIZE)~0 - 2 * PERL_STRLEN_ROUNDUP_QUANTUM) ? (Perl_croak_nocontext(PL_memory_wrap),0):0),((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
 
 #else
 
 #define MEM_WRAP_CHECK(n,t)
 #define MEM_WRAP_CHECK_1(n,t,a)
 #define MEM_WRAP_CHECK_2(n,t,a,b)
+#define MEM_WRAP_CHECK_(n,t)
+
+#define PERL_STRLEN_ROUNDUP(n) (((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
 
-#define New(x,v,n,t)	(v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))
-#define Newc(x,v,n,t,c)	(v = (c*)safemalloc((MEM_SIZE)((n)*sizeof(t))))
-#define Newz(x,v,n,t)	(v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))), \
+#endif
+
+#define Newx(v,n,t)	(v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
+#define Newxc(v,n,t,c)	(v = (MEM_WRAP_CHECK_(n,t) (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
+#define Newxz(v,n,t)	(v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \
 			memzero((char*)(v), (n)*sizeof(t))
+/* pre 5.9.x compatibility */
+#define New(x,v,n,t)	Newx(v,n,t)
+#define Newc(x,v,n,t,c)	Newxc(v,n,t,c)
+#define Newz(x,v,n,t)	Newxz(v,n,t)
+
 #define Renew(v,n,t) \
-	  (v = (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))
+	  (v = (MEM_WRAP_CHECK_(n,t) (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
 #define Renewc(v,n,t,c) \
-	  (v = (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))
-#define Safefree(d)	safefree((Malloc_t)(d))
-
-#define Move(s,d,n,t)	(void)memmove((char*)(d),(char*)(s), (n) * sizeof(t))
-#define Copy(s,d,n,t)	(void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t))
-#define Zero(d,n,t)	(void)memzero((char*)(d), (n) * sizeof(t))
+	  (v = (MEM_WRAP_CHECK_(n,t) (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
 
-#define MoveD(s,d,n,t)	memmove((char*)(d),(char*)(s), (n) * sizeof(t))
-#define CopyD(s,d,n,t)	memcpy((char*)(d),(char*)(s), (n) * sizeof(t))
-#ifdef HAS_MEMSET
-#define ZeroD(d,n,t)	memzero((char*)(d), (n) * sizeof(t))
+#ifdef PERL_POISON
+#define Safefree(d) \
+  (d ? (void)(safefree((Malloc_t)(d)), Poison(&(d), 1, Malloc_t)) : (void) 0)
 #else
-#define ZeroD(d,n,t)	((void)memzero((char*)(d), (n) * sizeof(t)),d)
+#define Safefree(d)	safefree((Malloc_t)(d))
 #endif
 
-#define Poison(d,n,t)	(void)memset((char*)(d), 0xAB, (n) * sizeof(t))
+#define Move(s,d,n,t)	(MEM_WRAP_CHECK_(n,t) (void)memmove((char*)(d),(const char*)(s), (n) * sizeof(t)))
+#define Copy(s,d,n,t)	(MEM_WRAP_CHECK_(n,t) (void)memcpy((char*)(d),(const char*)(s), (n) * sizeof(t)))
+#define Zero(d,n,t)	(MEM_WRAP_CHECK_(n,t) (void)memzero((char*)(d), (n) * sizeof(t)))
 
+#define MoveD(s,d,n,t)	(MEM_WRAP_CHECK_(n,t) memmove((char*)(d),(const char*)(s), (n) * sizeof(t)))
+#define CopyD(s,d,n,t)	(MEM_WRAP_CHECK_(n,t) memcpy((char*)(d),(const char*)(s), (n) * sizeof(t)))
+#ifdef HAS_MEMSET
+#define ZeroD(d,n,t)	(MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)))
+#else
+/* Using bzero(), which returns void.  */
+#define ZeroD(d,n,t)	(MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)),d)
 #endif
 
-#else /* lint */
-
-#define New(x,v,n,s)	(v = Null(s *))
-#define Newc(x,v,n,s,c)	(v = Null(s *))
-#define Newz(x,v,n,s)	(v = Null(s *))
-#define Renew(v,n,s)	(v = Null(s *))
-#define Move(s,d,n,t)
-#define Copy(s,d,n,t)
-#define Zero(d,n,t)
-#define MoveD(s,d,n,t)	d
-#define CopyD(s,d,n,t)	d
-#define ZeroD(d,n,t)	d
-#define Poison(d,n,t)
-#define Safefree(d)	(d) = (d)
-
-#endif /* lint */
+#define Poison(d,n,t)	(MEM_WRAP_CHECK_(n,t) (void)memset((char*)(d), 0xAB, (n) * sizeof(t)))
 
 #ifdef USE_STRUCT_COPY
 #define StructCopy(s,d,t) (*((t*)(d)) = *((t*)(s)))
--- perl-5.8.7/perl.h.CVE-2005-3962-bz174684	2005-12-14 12:40:55.000000000 -0500
+++ perl-5.8.7/perl.h	2005-12-14 12:40:55.000000000 -0500
@@ -720,6 +720,13 @@
 
 #define MEM_SIZE Size_t
 
+/* Round all values passed to malloc up, by default to a multiple of
+   sizeof(size_t)
+*/
+#ifndef PERL_STRLEN_ROUNDUP_QUANTUM
+#define PERL_STRLEN_ROUNDUP_QUANTUM Size_t_size
+#endif
+
 #if defined(STANDARD_C) && defined(I_STDDEF)
 #   include <stddef.h>
 #   define STRUCT_OFFSET(s,m)  offsetof(s,m)
@@ -3332,10 +3339,8 @@
   INIT("\"my\" variable %s can't be in a package");
 EXTCONST char PL_no_localize_ref[]
   INIT("Can't localize through a reference");
-#ifdef PERL_MALLOC_WRAP
 EXTCONST char PL_memory_wrap[]
   INIT("panic: memory wrap");
-#endif
 
 EXTCONST char PL_uuemap[65]
   INIT("`!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_");
--- perl-5.8.7/sv.c.CVE-2005-3962-bz174684	2005-05-27 06:38:11.000000000 -0400
+++ perl-5.8.7/sv.c	2005-12-14 12:48:45.000000000 -0500
@@ -8589,9 +8589,12 @@
 	    if (vectorarg) {
 		if (args)
 		    vecsv = va_arg(*args, SV*);
-		else
-		    vecsv = (evix ? evix <= svmax : svix < svmax) ?
-			svargs[evix ? evix-1 : svix++] : &PL_sv_undef;
+		else if (evix) {
+		    vecsv = (evix > 0 && evix <= svmax)
+			? svargs[evix-1] : &PL_sv_undef;
+		} else {
+		    vecsv = svix < svmax ? svargs[svix++] : &PL_sv_undef;
+		}
 		dotstr = SvPVx(vecsv, dotstrlen);
 		if (DO_UTF8(vecsv))
 		    is_utf8 = TRUE;
@@ -8601,12 +8604,13 @@
 		vecstr = (U8*)SvPVx(vecsv,veclen);
 		vec_utf8 = DO_UTF8(vecsv);
 	    }
-	    else if (efix ? efix <= svmax : svix < svmax) {
+	    else if (efix ? (efix > 0 && efix <= svmax) : svix < svmax) {
 		vecsv = svargs[efix ? efix-1 : svix++];
 		vecstr = (U8*)SvPVx(vecsv,veclen);
 		vec_utf8 = DO_UTF8(vecsv);
 	    }
 	    else {
+		vecsv = &PL_sv_undef;
 		vecstr = (U8*)"";
 		veclen = 0;
 	    }
@@ -8707,9 +8711,15 @@
 
 	if (vectorize)
 	    argsv = vecsv;
-	else if (!args)
-	    argsv = (efix ? efix <= svmax : svix < svmax) ?
-		    svargs[efix ? efix-1 : svix++] : &PL_sv_undef;
+	else if (!args) {
+	    if (efix) {
+		const I32 i = efix-1;
+		argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
+	    } else {
+		argsv = (svix >= 0 && svix < svmax)
+		    ? svargs[svix++] : &PL_sv_undef;
+	    }
+	}
 
 	switch (c = *q++) {
 
@@ -8972,6 +8982,8 @@
 		    *--eptr = '0';
 		break;
 	    case 2:
+		if (!uv)
+		    alt = FALSE;
 		do {
 		    dig = uv & 1;
 		    *--eptr = '0' + dig;
@@ -9274,6 +9286,8 @@
 
 	/* calculate width before utf8_upgrade changes it */
 	have = esignlen + zeros + elen;
+	if (have < zeros)
+	    Perl_croak_nocontext(PL_memory_wrap);
 
 	if (is_utf8 != has_utf8) {
 	     if (is_utf8) {
@@ -9301,6 +9315,9 @@
 	need = (have > width ? have : width);
 	gap = need - have;
 
+	if (need >= (((STRLEN)~0) - SvCUR(sv) - dotstrlen - 1))
+	    Perl_croak_nocontext(PL_memory_wrap);
+
 	SvGROW(sv, SvCUR(sv) + need + dotstrlen + 1);
 	p = SvEND(sv);
 	if (esignlen && fill == '0') {
--- perl-5.8.7/globvar.sym.CVE-2005-3962-bz174684	2000-08-14 11:22:14.000000000 -0400
+++ perl-5.8.7/globvar.sym	2005-12-14 12:51:12.000000000 -0500
@@ -66,3 +66,4 @@
 vtbl_collxfrm
 vtbl_amagic
 vtbl_amagicelem
+memory_wrap
Commit	Line	Data
21155a62 AM	1	--- perl-5.8.7/t/lib/warnings/sv.CVE-2005-3962-bz174684 2004-03-18 07:51:14.000000000 -0500
	2	+++ perl-5.8.7/t/lib/warnings/sv 2005-12-14 12:40:55.000000000 -0500
	3	@@ -301,12 +301,12 @@
	4	printf F "%\x02" ;
	5	$a = sprintf "%\x02" ;
	6	EXPECT
	7	-Invalid conversion in sprintf: "%z" at - line 5.
	8	-Invalid conversion in sprintf: end of string at - line 7.
	9	-Invalid conversion in sprintf: "%\002" at - line 9.
	10	Invalid conversion in printf: "%z" at - line 4.
	11	+Invalid conversion in sprintf: "%z" at - line 5.
	12	Invalid conversion in printf: end of string at - line 6.
	13	+Invalid conversion in sprintf: end of string at - line 7.
	14	Invalid conversion in printf: "%\002" at - line 8.
	15	+Invalid conversion in sprintf: "%\002" at - line 9.
	16	########
	17	# sv.c
	18	use warnings 'misc' ;
	19	--- perl-5.8.7/t/op/sprintf.t.CVE-2005-3962-bz174684 2003-09-01 03:41:07.000000000 -0400
	20	+++ perl-5.8.7/t/op/sprintf.t 2005-12-14 12:53:09.000000000 -0500
	21	@@ -385,3 +385,8 @@
	22	>%4$K %d< >[45, 67]< >%4$K 45 INVALID<
	23	>%d %K %d< >[23, 45]< >23 %K 45 INVALID<
	24	>%v999\$d %d %d< >[11, 22, 33]< >%v999\$d 11 22 INVALID<
	25	+>%#b< >0< >0<
	26	+>%#o< >0< >0<
	27	+>%#x< >0< >0<
	28	+>%2918905856$v2d< >''< ><
	29	+>%*2918905856$v2d< >''< > UNINIT<
	30	--- perl-5.8.7/t/op/sprintf2.t.CVE-2005-3962-bz174684 2004-02-09 16:37:13.000000000 -0500
	31	+++ perl-5.8.7/t/op/sprintf2.t 2005-12-14 12:50:39.000000000 -0500
	32	@@ -6,7 +6,7 @@
	33	require './test.pl';
	34	}
	35
	36	-plan tests => 3;
	37	+plan tests => 7 + 256;
	38
	39	is(
	40	sprintf("%.40g ",0.01),
	41	@@ -26,3 +26,43 @@
	42	q(width calculation under utf8 upgrade)
	43	);
	44	}
	45	+
	46	+# Used to mangle PL_sv_undef
	47	+fresh_perl_is(
	48	+ 'print sprintf "xxx%n\n"; print undef',
	49	+ 'Modification of a read-only value attempted at - line 1.',
	50	+ { switches => [ '-w' ] },
	51	+ q(%n should not be able to modify read-only constants),
	52	+);
	53	+
	54	+# check %NNN$ for range bounds, especially negative 2's complement
	55	+{
	56	+ my ($warn, $bad) = (0,0);
	57	+ local $SIG{__WARN__} = sub {
	58	+ if ($_[0] =~ /uninitialized/) {
	59	+ $warn++
	60	+ }
	61	+ else {
	62	+ $bad++
	63	+ }
	64	+ };
65	+ my $result = sprintf join('', map("%$_\$s%" . ~$_ . '$s', 1..20)),
66	+ qw(a b c d);
67	+ is($result, "abcd", "only four valid values");
68	+ is($warn, 36, "expected warnings");
69	+ is($bad, 0, "unexpected warnings");
70	+}
71	+{
72	+ foreach my $ord (0 .. 255) {
73	+ my $bad = 0;
74	+ local $SIG{__WARN__} = sub {
75	+ unless ($_[0] =~ /^Invalid conversion in sprintf/ \|\|
76	+ $_[0] =~ /^Use of uninitialized value in sprintf/) {
77	+ warn $_[0];
78	+ $bad++;
79	+ }
80	+ };
81	+ my $r = eval {sprintf '%v' . chr $ord};
82	+ is ($bad, 0, "pattern '%v' . chr $ord");
83	+ }
84	+}
85	--- perl-5.8.7/opcode.h.CVE-2005-3962-bz174684 2005-05-27 12:29:50.000000000 -0400
86	+++ perl-5.8.7/opcode.h 2005-12-14 12:40:55.000000000 -0500
87	@@ -1585,7 +1585,7 @@
88	0x0022281c, /* vec */
89	0x0122291c, /* index */
90	0x0122291c, /* rindex */
91	- 0x0004280f, /* sprintf */
92	+ 0x0004280d, /* sprintf - WAS 0x0004280f before patch #26283 */
93	0x00042805, /* formline */
94	0x0001379e, /* ord */
95	0x0001378e, /* chr */
96	--- perl-5.8.7/op.c.CVE-2005-3962-bz174684 2005-04-22 10:12:32.000000000 -0400
97	+++ perl-5.8.7/op.c 2005-12-14 12:40:55.000000000 -0500
98	@@ -2076,7 +2076,9 @@
99	/* XXX might want a ck_negate() for this */
100	cUNOPo->op_first->op_private &= ~OPpCONST_STRICT;
101	break;
102	- case OP_SPRINTF:
103	+/* Removed as part of fix for CVE-2005-3962 / Upstream patch 26283 :
104	+ * case OP_SPRINTF:
105	+ */
106	case OP_UCFIRST:
107	case OP_LCFIRST:
108	case OP_UC:
109	--- perl-5.8.7/makedef.pl.CVE-2005-3962-bz174684 2005-05-09 09:27:41.000000000 -0400
110	+++ perl-5.8.7/makedef.pl 2005-12-14 12:40:55.000000000 -0500
111	@@ -635,11 +635,13 @@
112	)];
113	}
114
115	-if ($define{'PERL_MALLOC_WRAP'}) {
116	- emit_symbols [qw(
117	- PL_memory_wrap
118	- )];
119	-}
120	+# Removed as part of fix for CVE-2005-3962 / CVE-2005-3962 /
121	+# Upstream patch #26283
122	+# if ($define{'PERL_MALLOC_WRAP'}) {
123	+# emit_symbols [qw(
124	+# PL_memory_wrap
125	+# )];
126	+#}
127
128	unless ($define{'USE_5005THREADS'} \|\| $define{'USE_ITHREADS'}) {
129	skip_symbols [qw(
130	--- perl-5.8.7/ext/Sys/Syslog/Syslog.pm.CVE-2005-3962-bz174684 2005-04-22 07:53:56.000000000 -0400
131	+++ perl-5.8.7/ext/Sys/Syslog/Syslog.pm 2005-12-14 12:40:55.000000000 -0500
132	@@ -1,14 +1,13 @@
133	package Sys::Syslog;
134	require 5.006;
135	require Exporter;
136	-require DynaLoader;
137	use Carp;
138	use strict;
139
140	-our @ISA = qw(Exporter DynaLoader);
141	+our @ISA = qw(Exporter);
142	our @EXPORT = qw(openlog closelog setlogmask syslog);
143	our @EXPORT_OK = qw(setlogsock);
144	-our $VERSION = '0.06';
145	+our $VERSION = '0.08';
146
147	# it would be nice to try stream/unix first, since that will be
148	# most efficient. However streams are dodgy - see _syslog_send_stream
149	@@ -54,26 +53,38 @@
150
151	=item openlog $ident, $logopt, $facility
152
153	+Opens the syslog.
154	I<$ident> is prepended to every message. I<$logopt> contains zero or
155	more of the words I<pid>, I<ndelay>, I<nowait>. The cons option is
156	ignored, since the failover mechanism will drop down to the console
157	automatically if all other media fail. I<$facility> specifies the
158	part of the system to report about, for example LOG_USER or LOG_LOCAL0:
159	see your C<syslog(3)> documentation for the facilities available in
160	-your system.
161	+your system. This function will croak if it can't connect to the syslog
162	+daemon.
163
164	B<You should use openlog() before calling syslog().>
165
166	+=item syslog $priority, $message
167	+
168	=item syslog $priority, $format, @args
169
170	-If I<$priority> permits, logs I<($format, @args)>
171	-printed as by C<printf(3V)>, with the addition that I<%m>
172	-is replaced with C<"$!"> (the latest error message).
173	+If I<$priority> permits, logs I<$message> or I<sprintf($format, @args)>
174	+with the addition that I<%m> in $message or $format is replaced with
175	+C<"$!"> (the latest error message).
176
177	If you didn't use openlog() before using syslog(), syslog will try to
178	guess the I<$ident> by extracting the shortest prefix of I<$format>
179	that ends in a ":".
180
181	+Note that Sys::Syslog version v0.07 and older passed the $message as
182	+the formatting string to sprintf() even when no formatting arguments
183	+were provided. If the code calling syslog() might execute with older
184	+versions of this module, make sure to call the function as
185	+syslog($priority, "%s", $message) instead of syslog($priority,
186	+$message). This protects against hostile formatting sequences that
187	+might show up if $message contains tainted data.
188	+
189	=item setlogmask $mask_priority
190
191	Sets log mask I<$mask_priority> and returns the old mask.
192	@@ -175,7 +186,8 @@
193	goto &$AUTOLOAD;
194	}
195
196	-bootstrap Sys::Syslog $VERSION;
197	+require XSLoader;
198	+XSLoader::load('Sys::Syslog', $VERSION);
199
200	our $maskpri = &LOG_UPTO(&LOG_DEBUG);
201
202	@@ -316,9 +328,16 @@
203
204	$whoami .= "[$$]" if our $lo_pid;
205
206	- $mask =~ s/(?<!%)%m/$!/g;
207	+ if ($mask =~ /%m/) {
208	+ my $err = $!;
209	+ # escape percent signs if sprintf will be called
210	+ $err =~ s/%/%%/g if @_;
211	+ # replace %m with $err, if preceded by an even number of percent signs
212	+ $mask =~ s/(?<!%)((?:%%)*)%m/$1$err/g;
213	+ }
214	+
215	$mask .= "\n" unless $mask =~ /\n$/;
216	- $message = sprintf ($mask, @_);
217	+ $message = @_ ? sprintf($mask, @_) : $mask;
218
219	$sum = $numpri + $numfac;
220	my $buf = "<$sum>$whoami: $message\0";
221	--- perl-5.8.7/opcode.pl.CVE-2005-3962-bz174684 2004-12-01 08:54:30.000000000 -0500
222	+++ perl-5.8.7/opcode.pl 2005-12-14 12:40:55.000000000 -0500
223	@@ -606,7 +606,7 @@
224	index index ck_index isT@ S S S?
225	rindex rindex ck_index isT@ S S S?
226
227	-sprintf sprintf ck_fun mfst@ S L
228	+sprintf sprintf ck_fun mst@ S L
229	formline formline ck_fun ms@ S L
230	ord ord ck_fun ifsTu% S?
231	chr chr ck_fun fsTu% S?
232	--- perl-5.8.7/handy.h.CVE-2005-3962-bz174684 2005-04-20 12:33:28.000000000 -0400
233	+++ perl-5.8.7/handy.h 2005-12-14 12:40:55.000000000 -0500
234	@@ -598,91 +598,65 @@
235
236	=cut */
237
238	-#ifndef lint
239	-
240	#define NEWSV(x,len) newSV(len)
241
242	#ifdef PERL_MALLOC_WRAP
243	#define MEM_WRAP_CHECK(n,t) \
244	- (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
245	+ (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
246	#define MEM_WRAP_CHECK_1(n,t,a) \
247	- (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
248	+ (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
249	#define MEM_WRAP_CHECK_2(n,t,a,b) \
250	- (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
251	+ (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
252	+#define MEM_WRAP_CHECK_(n,t) MEM_WRAP_CHECK(n,t),
253
254	-#define New(x,v,n,t) (v = (MEM_WRAP_CHECK(n,t), (t)safemalloc((MEM_SIZE)((n)sizeof(t)))))
255	-#define Newc(x,v,n,t,c) (v = (MEM_WRAP_CHECK(n,t), (c)safemalloc((MEM_SIZE)((n)sizeof(t)))))
256	-#define Newz(x,v,n,t) (v = (MEM_WRAP_CHECK(n,t), (t)safemalloc((MEM_SIZE)((n)sizeof(t))))), \
257	- memzero((char)(v), (n)sizeof(t))
258	-#define Renew(v,n,t) \
259	- (v = (MEM_WRAP_CHECK(n,t), (t)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)sizeof(t)))))
260	-#define Renewc(v,n,t,c) \
261	- (v = (MEM_WRAP_CHECK(n,t), (c)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)sizeof(t)))))
262	-#define Safefree(d) safefree((Malloc_t)(d))
263	-
264	-#define Move(s,d,n,t) (MEM_WRAP_CHECK(n,t), (void)memmove((char)(d),(char)(s), (n) * sizeof(t)))
265	-#define Copy(s,d,n,t) (MEM_WRAP_CHECK(n,t), (void)memcpy((char)(d),(char)(s), (n) * sizeof(t)))
266	-#define Zero(d,n,t) (MEM_WRAP_CHECK(n,t), (void)memzero((char)(d), (n) sizeof(t)))
267	-
268	-#define MoveD(s,d,n,t) (MEM_WRAP_CHECK(n,t), memmove((char)(d),(char)(s), (n) * sizeof(t)))
269	-#define CopyD(s,d,n,t) (MEM_WRAP_CHECK(n,t), memcpy((char)(d),(char)(s), (n) * sizeof(t)))
270	-#ifdef HAS_MEMSET
271	-#define ZeroD(d,n,t) (MEM_WRAP_CHECK(n,t), memzero((char)(d), (n) sizeof(t)))
272	-#else
273	-/* Using bzero(), which returns void. */
274	-#define ZeroD(d,n,t) (MEM_WRAP_CHECK(n,t), memzero((char)(d), (n) sizeof(t)),d)
275	-#endif
276	-
277	-#define Poison(d,n,t) (MEM_WRAP_CHECK(n,t), (void)memset((char)(d), 0xAB, (n) sizeof(t)))
278	+#define PERL_STRLEN_ROUNDUP(n) ((void)(((n) > (MEM_SIZE)~0 - 2 * PERL_STRLEN_ROUNDUP_QUANTUM) ? (Perl_croak_nocontext(PL_memory_wrap),0):0),((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
279
280	#else
281
282	#define MEM_WRAP_CHECK(n,t)
283	#define MEM_WRAP_CHECK_1(n,t,a)
284	#define MEM_WRAP_CHECK_2(n,t,a,b)
285	+#define MEM_WRAP_CHECK_(n,t)
286	+
287	+#define PERL_STRLEN_ROUNDUP(n) (((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
288
289	-#define New(x,v,n,t) (v = (t)safemalloc((MEM_SIZE)((n)sizeof(t))))
290	-#define Newc(x,v,n,t,c) (v = (c)safemalloc((MEM_SIZE)((n)sizeof(t))))
291	-#define Newz(x,v,n,t) (v = (t)safemalloc((MEM_SIZE)((n)sizeof(t)))), \
292	+#endif
293	+
294	+#define Newx(v,n,t) (v = (MEM_WRAP_CHECK_(n,t) (t)safemalloc((MEM_SIZE)((n)sizeof(t)))))
295	+#define Newxc(v,n,t,c) (v = (MEM_WRAP_CHECK_(n,t) (c)safemalloc((MEM_SIZE)((n)sizeof(t)))))
296	+#define Newxz(v,n,t) (v = (MEM_WRAP_CHECK_(n,t) (t)safemalloc((MEM_SIZE)((n)sizeof(t))))), \
297	memzero((char)(v), (n)sizeof(t))
298	+/* pre 5.9.x compatibility */
299	+#define New(x,v,n,t) Newx(v,n,t)
300	+#define Newc(x,v,n,t,c) Newxc(v,n,t,c)
301	+#define Newz(x,v,n,t) Newxz(v,n,t)
302	+
303	#define Renew(v,n,t) \
304	- (v = (t)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)sizeof(t))))
305	+ (v = (MEM_WRAP_CHECK_(n,t) (t)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)sizeof(t)))))
306	#define Renewc(v,n,t,c) \
307	- (v = (c)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)sizeof(t))))
308	-#define Safefree(d) safefree((Malloc_t)(d))
309	-
310	-#define Move(s,d,n,t) (void)memmove((char)(d),(char)(s), (n) * sizeof(t))
311	-#define Copy(s,d,n,t) (void)memcpy((char)(d),(char)(s), (n) * sizeof(t))
312	-#define Zero(d,n,t) (void)memzero((char)(d), (n) sizeof(t))
313	+ (v = (MEM_WRAP_CHECK_(n,t) (c)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)sizeof(t)))))
314
315	-#define MoveD(s,d,n,t) memmove((char)(d),(char)(s), (n) * sizeof(t))
316	-#define CopyD(s,d,n,t) memcpy((char)(d),(char)(s), (n) * sizeof(t))
317	-#ifdef HAS_MEMSET
318	-#define ZeroD(d,n,t) memzero((char)(d), (n) sizeof(t))
319	+#ifdef PERL_POISON
320	+#define Safefree(d) \
321	+ (d ? (void)(safefree((Malloc_t)(d)), Poison(&(d), 1, Malloc_t)) : (void) 0)
322	#else
323	-#define ZeroD(d,n,t) ((void)memzero((char)(d), (n) sizeof(t)),d)
324	+#define Safefree(d) safefree((Malloc_t)(d))
325	#endif
326
327	-#define Poison(d,n,t) (void)memset((char)(d), 0xAB, (n) sizeof(t))
328	+#define Move(s,d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memmove((char)(d),(const char)(s), (n) * sizeof(t)))
329	+#define Copy(s,d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memcpy((char)(d),(const char)(s), (n) * sizeof(t)))
330	+#define Zero(d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memzero((char)(d), (n) sizeof(t)))
331
332	+#define MoveD(s,d,n,t) (MEM_WRAP_CHECK_(n,t) memmove((char)(d),(const char)(s), (n) * sizeof(t)))
333	+#define CopyD(s,d,n,t) (MEM_WRAP_CHECK_(n,t) memcpy((char)(d),(const char)(s), (n) * sizeof(t)))
334	+#ifdef HAS_MEMSET
335	+#define ZeroD(d,n,t) (MEM_WRAP_CHECK_(n,t) memzero((char)(d), (n) sizeof(t)))
336	+#else
337	+/* Using bzero(), which returns void. */
338	+#define ZeroD(d,n,t) (MEM_WRAP_CHECK_(n,t) memzero((char)(d), (n) sizeof(t)),d)
339	#endif
340
341	-#else /* lint */
342	-
343	-#define New(x,v,n,s) (v = Null(s *))
344	-#define Newc(x,v,n,s,c) (v = Null(s *))
345	-#define Newz(x,v,n,s) (v = Null(s *))
346	-#define Renew(v,n,s) (v = Null(s *))
347	-#define Move(s,d,n,t)
348	-#define Copy(s,d,n,t)
349	-#define Zero(d,n,t)
350	-#define MoveD(s,d,n,t) d
351	-#define CopyD(s,d,n,t) d
352	-#define ZeroD(d,n,t) d
353	-#define Poison(d,n,t)
354	-#define Safefree(d) (d) = (d)
355	-
356	-#endif /* lint */
357	+#define Poison(d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memset((char)(d), 0xAB, (n) sizeof(t)))
358
359	#ifdef USE_STRUCT_COPY
360	#define StructCopy(s,d,t) (((t)(d)) = ((t)(s)))
361	--- perl-5.8.7/perl.h.CVE-2005-3962-bz174684 2005-12-14 12:40:55.000000000 -0500
362	+++ perl-5.8.7/perl.h 2005-12-14 12:40:55.000000000 -0500
363	@@ -720,6 +720,13 @@
364
365	#define MEM_SIZE Size_t
366
367	+/* Round all values passed to malloc up, by default to a multiple of
368	+ sizeof(size_t)
369	+*/
370	+#ifndef PERL_STRLEN_ROUNDUP_QUANTUM
371	+#define PERL_STRLEN_ROUNDUP_QUANTUM Size_t_size
372	+#endif
373	+
374	#if defined(STANDARD_C) && defined(I_STDDEF)
375	# include <stddef.h>
376	# define STRUCT_OFFSET(s,m) offsetof(s,m)
377	@@ -3332,10 +3339,8 @@
378	INIT("\"my\" variable %s can't be in a package");
379	EXTCONST char PL_no_localize_ref[]
380	INIT("Can't localize through a reference");
381	-#ifdef PERL_MALLOC_WRAP
382	EXTCONST char PL_memory_wrap[]
383	INIT("panic: memory wrap");
384	-#endif
385
386	EXTCONST char PL_uuemap[65]
387	INIT("`!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_");
388	--- perl-5.8.7/sv.c.CVE-2005-3962-bz174684 2005-05-27 06:38:11.000000000 -0400
389	+++ perl-5.8.7/sv.c 2005-12-14 12:48:45.000000000 -0500
390	@@ -8589,9 +8589,12 @@
391	if (vectorarg) {
392	if (args)
393	vecsv = va_arg(args, SV);
394	- else
395	- vecsv = (evix ? evix <= svmax : svix < svmax) ?
396	- svargs[evix ? evix-1 : svix++] : &PL_sv_undef;
397	+ else if (evix) {
398	+ vecsv = (evix > 0 && evix <= svmax)
399	+ ? svargs[evix-1] : &PL_sv_undef;
400	+ } else {
401	+ vecsv = svix < svmax ? svargs[svix++] : &PL_sv_undef;
402	+ }
403	dotstr = SvPVx(vecsv, dotstrlen);
404	if (DO_UTF8(vecsv))
405	is_utf8 = TRUE;
406	@@ -8601,12 +8604,13 @@
407	vecstr = (U8*)SvPVx(vecsv,veclen);
408	vec_utf8 = DO_UTF8(vecsv);
409	}
410	- else if (efix ? efix <= svmax : svix < svmax) {
411	+ else if (efix ? (efix > 0 && efix <= svmax) : svix < svmax) {
412	vecsv = svargs[efix ? efix-1 : svix++];
413	vecstr = (U8*)SvPVx(vecsv,veclen);
414	vec_utf8 = DO_UTF8(vecsv);
415	}
416	else {
417	+ vecsv = &PL_sv_undef;
418	vecstr = (U8*)"";
419	veclen = 0;
420	}
421	@@ -8707,9 +8711,15 @@
422
423	if (vectorize)
424	argsv = vecsv;
425	- else if (!args)
426	- argsv = (efix ? efix <= svmax : svix < svmax) ?
427	- svargs[efix ? efix-1 : svix++] : &PL_sv_undef;
428	+ else if (!args) {
429	+ if (efix) {
430	+ const I32 i = efix-1;
431	+ argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
432	+ } else {
433	+ argsv = (svix >= 0 && svix < svmax)
434	+ ? svargs[svix++] : &PL_sv_undef;
435	+ }
436	+ }
437
438	switch (c = *q++) {
439
440	@@ -8972,6 +8982,8 @@
441	*--eptr = '0';
442	break;
443	case 2:
444	+ if (!uv)
445	+ alt = FALSE;
446	do {
447	dig = uv & 1;
448	*--eptr = '0' + dig;
449	@@ -9274,6 +9286,8 @@
450
451	/* calculate width before utf8_upgrade changes it */
452	have = esignlen + zeros + elen;
453	+ if (have < zeros)
454	+ Perl_croak_nocontext(PL_memory_wrap);
455
456	if (is_utf8 != has_utf8) {
457	if (is_utf8) {
458	@@ -9301,6 +9315,9 @@
459	need = (have > width ? have : width);
460	gap = need - have;
461
462	+ if (need >= (((STRLEN)~0) - SvCUR(sv) - dotstrlen - 1))
463	+ Perl_croak_nocontext(PL_memory_wrap);
464	+
465	SvGROW(sv, SvCUR(sv) + need + dotstrlen + 1);
466	p = SvEND(sv);
467	if (esignlen && fill == '0') {
468	--- perl-5.8.7/globvar.sym.CVE-2005-3962-bz174684 2000-08-14 11:22:14.000000000 -0400
469	+++ perl-5.8.7/globvar.sym 2005-12-14 12:51:12.000000000 -0500
470	@@ -66,3 +66,4 @@
471	vtbl_collxfrm
472	vtbl_amagic
473	vtbl_amagicelem
474	+memory_wrap