]>
Commit | Line | Data |
---|---|---|
21155a62 AM |
1 | --- perl-5.8.7/t/lib/warnings/sv.CVE-2005-3962-bz174684 2004-03-18 07:51:14.000000000 -0500 |
2 | +++ perl-5.8.7/t/lib/warnings/sv 2005-12-14 12:40:55.000000000 -0500 | |
3 | @@ -301,12 +301,12 @@ | |
4 | printf F "%\x02" ; | |
5 | $a = sprintf "%\x02" ; | |
6 | EXPECT | |
7 | -Invalid conversion in sprintf: "%z" at - line 5. | |
8 | -Invalid conversion in sprintf: end of string at - line 7. | |
9 | -Invalid conversion in sprintf: "%\002" at - line 9. | |
10 | Invalid conversion in printf: "%z" at - line 4. | |
11 | +Invalid conversion in sprintf: "%z" at - line 5. | |
12 | Invalid conversion in printf: end of string at - line 6. | |
13 | +Invalid conversion in sprintf: end of string at - line 7. | |
14 | Invalid conversion in printf: "%\002" at - line 8. | |
15 | +Invalid conversion in sprintf: "%\002" at - line 9. | |
16 | ######## | |
17 | # sv.c | |
18 | use warnings 'misc' ; | |
19 | --- perl-5.8.7/t/op/sprintf.t.CVE-2005-3962-bz174684 2003-09-01 03:41:07.000000000 -0400 | |
20 | +++ perl-5.8.7/t/op/sprintf.t 2005-12-14 12:53:09.000000000 -0500 | |
21 | @@ -385,3 +385,8 @@ | |
22 | >%4$K %d< >[45, 67]< >%4$K 45 INVALID< | |
23 | >%d %K %d< >[23, 45]< >23 %K 45 INVALID< | |
24 | >%*v*999\$d %d %d< >[11, 22, 33]< >%*v*999\$d 11 22 INVALID< | |
25 | +>%#b< >0< >0< | |
26 | +>%#o< >0< >0< | |
27 | +>%#x< >0< >0< | |
28 | +>%2918905856$v2d< >''< >< | |
29 | +>%*2918905856$v2d< >''< > UNINIT< | |
30 | --- perl-5.8.7/t/op/sprintf2.t.CVE-2005-3962-bz174684 2004-02-09 16:37:13.000000000 -0500 | |
31 | +++ perl-5.8.7/t/op/sprintf2.t 2005-12-14 12:50:39.000000000 -0500 | |
32 | @@ -6,7 +6,7 @@ | |
33 | require './test.pl'; | |
34 | } | |
35 | ||
36 | -plan tests => 3; | |
37 | +plan tests => 7 + 256; | |
38 | ||
39 | is( | |
40 | sprintf("%.40g ",0.01), | |
41 | @@ -26,3 +26,43 @@ | |
42 | q(width calculation under utf8 upgrade) | |
43 | ); | |
44 | } | |
45 | + | |
46 | +# Used to mangle PL_sv_undef | |
47 | +fresh_perl_is( | |
48 | + 'print sprintf "xxx%n\n"; print undef', | |
49 | + 'Modification of a read-only value attempted at - line 1.', | |
50 | + { switches => [ '-w' ] }, | |
51 | + q(%n should not be able to modify read-only constants), | |
52 | +); | |
53 | + | |
54 | +# check %NNN$ for range bounds, especially negative 2's complement | |
55 | +{ | |
56 | + my ($warn, $bad) = (0,0); | |
57 | + local $SIG{__WARN__} = sub { | |
58 | + if ($_[0] =~ /uninitialized/) { | |
59 | + $warn++ | |
60 | + } | |
61 | + else { | |
62 | + $bad++ | |
63 | + } | |
64 | + }; | |
65 | + my $result = sprintf join('', map("%$_\$s%" . ~$_ . '$s', 1..20)), | |
66 | + qw(a b c d); | |
67 | + is($result, "abcd", "only four valid values"); | |
68 | + is($warn, 36, "expected warnings"); | |
69 | + is($bad, 0, "unexpected warnings"); | |
70 | +} | |
71 | +{ | |
72 | + foreach my $ord (0 .. 255) { | |
73 | + my $bad = 0; | |
74 | + local $SIG{__WARN__} = sub { | |
75 | + unless ($_[0] =~ /^Invalid conversion in sprintf/ || | |
76 | + $_[0] =~ /^Use of uninitialized value in sprintf/) { | |
77 | + warn $_[0]; | |
78 | + $bad++; | |
79 | + } | |
80 | + }; | |
81 | + my $r = eval {sprintf '%v' . chr $ord}; | |
82 | + is ($bad, 0, "pattern '%v' . chr $ord"); | |
83 | + } | |
84 | +} | |
85 | --- perl-5.8.7/opcode.h.CVE-2005-3962-bz174684 2005-05-27 12:29:50.000000000 -0400 | |
86 | +++ perl-5.8.7/opcode.h 2005-12-14 12:40:55.000000000 -0500 | |
87 | @@ -1585,7 +1585,7 @@ | |
88 | 0x0022281c, /* vec */ | |
89 | 0x0122291c, /* index */ | |
90 | 0x0122291c, /* rindex */ | |
91 | - 0x0004280f, /* sprintf */ | |
92 | + 0x0004280d, /* sprintf - WAS 0x0004280f before patch #26283 */ | |
93 | 0x00042805, /* formline */ | |
94 | 0x0001379e, /* ord */ | |
95 | 0x0001378e, /* chr */ | |
96 | --- perl-5.8.7/op.c.CVE-2005-3962-bz174684 2005-04-22 10:12:32.000000000 -0400 | |
97 | +++ perl-5.8.7/op.c 2005-12-14 12:40:55.000000000 -0500 | |
98 | @@ -2076,7 +2076,9 @@ | |
99 | /* XXX might want a ck_negate() for this */ | |
100 | cUNOPo->op_first->op_private &= ~OPpCONST_STRICT; | |
101 | break; | |
102 | - case OP_SPRINTF: | |
103 | +/* Removed as part of fix for CVE-2005-3962 / Upstream patch 26283 : | |
104 | + * case OP_SPRINTF: | |
105 | + */ | |
106 | case OP_UCFIRST: | |
107 | case OP_LCFIRST: | |
108 | case OP_UC: | |
109 | --- perl-5.8.7/makedef.pl.CVE-2005-3962-bz174684 2005-05-09 09:27:41.000000000 -0400 | |
110 | +++ perl-5.8.7/makedef.pl 2005-12-14 12:40:55.000000000 -0500 | |
111 | @@ -635,11 +635,13 @@ | |
112 | )]; | |
113 | } | |
114 | ||
115 | -if ($define{'PERL_MALLOC_WRAP'}) { | |
116 | - emit_symbols [qw( | |
117 | - PL_memory_wrap | |
118 | - )]; | |
119 | -} | |
120 | +# Removed as part of fix for CVE-2005-3962 / CVE-2005-3962 / | |
121 | +# Upstream patch #26283 | |
122 | +# if ($define{'PERL_MALLOC_WRAP'}) { | |
123 | +# emit_symbols [qw( | |
124 | +# PL_memory_wrap | |
125 | +# )]; | |
126 | +#} | |
127 | ||
128 | unless ($define{'USE_5005THREADS'} || $define{'USE_ITHREADS'}) { | |
129 | skip_symbols [qw( | |
130 | --- perl-5.8.7/ext/Sys/Syslog/Syslog.pm.CVE-2005-3962-bz174684 2005-04-22 07:53:56.000000000 -0400 | |
131 | +++ perl-5.8.7/ext/Sys/Syslog/Syslog.pm 2005-12-14 12:40:55.000000000 -0500 | |
132 | @@ -1,14 +1,13 @@ | |
133 | package Sys::Syslog; | |
134 | require 5.006; | |
135 | require Exporter; | |
136 | -require DynaLoader; | |
137 | use Carp; | |
138 | use strict; | |
139 | ||
140 | -our @ISA = qw(Exporter DynaLoader); | |
141 | +our @ISA = qw(Exporter); | |
142 | our @EXPORT = qw(openlog closelog setlogmask syslog); | |
143 | our @EXPORT_OK = qw(setlogsock); | |
144 | -our $VERSION = '0.06'; | |
145 | +our $VERSION = '0.08'; | |
146 | ||
147 | # it would be nice to try stream/unix first, since that will be | |
148 | # most efficient. However streams are dodgy - see _syslog_send_stream | |
149 | @@ -54,26 +53,38 @@ | |
150 | ||
151 | =item openlog $ident, $logopt, $facility | |
152 | ||
153 | +Opens the syslog. | |
154 | I<$ident> is prepended to every message. I<$logopt> contains zero or | |
155 | more of the words I<pid>, I<ndelay>, I<nowait>. The cons option is | |
156 | ignored, since the failover mechanism will drop down to the console | |
157 | automatically if all other media fail. I<$facility> specifies the | |
158 | part of the system to report about, for example LOG_USER or LOG_LOCAL0: | |
159 | see your C<syslog(3)> documentation for the facilities available in | |
160 | -your system. | |
161 | +your system. This function will croak if it can't connect to the syslog | |
162 | +daemon. | |
163 | ||
164 | B<You should use openlog() before calling syslog().> | |
165 | ||
166 | +=item syslog $priority, $message | |
167 | + | |
168 | =item syslog $priority, $format, @args | |
169 | ||
170 | -If I<$priority> permits, logs I<($format, @args)> | |
171 | -printed as by C<printf(3V)>, with the addition that I<%m> | |
172 | -is replaced with C<"$!"> (the latest error message). | |
173 | +If I<$priority> permits, logs I<$message> or I<sprintf($format, @args)> | |
174 | +with the addition that I<%m> in $message or $format is replaced with | |
175 | +C<"$!"> (the latest error message). | |
176 | ||
177 | If you didn't use openlog() before using syslog(), syslog will try to | |
178 | guess the I<$ident> by extracting the shortest prefix of I<$format> | |
179 | that ends in a ":". | |
180 | ||
181 | +Note that Sys::Syslog version v0.07 and older passed the $message as | |
182 | +the formatting string to sprintf() even when no formatting arguments | |
183 | +were provided. If the code calling syslog() might execute with older | |
184 | +versions of this module, make sure to call the function as | |
185 | +syslog($priority, "%s", $message) instead of syslog($priority, | |
186 | +$message). This protects against hostile formatting sequences that | |
187 | +might show up if $message contains tainted data. | |
188 | + | |
189 | =item setlogmask $mask_priority | |
190 | ||
191 | Sets log mask I<$mask_priority> and returns the old mask. | |
192 | @@ -175,7 +186,8 @@ | |
193 | goto &$AUTOLOAD; | |
194 | } | |
195 | ||
196 | -bootstrap Sys::Syslog $VERSION; | |
197 | +require XSLoader; | |
198 | +XSLoader::load('Sys::Syslog', $VERSION); | |
199 | ||
200 | our $maskpri = &LOG_UPTO(&LOG_DEBUG); | |
201 | ||
202 | @@ -316,9 +328,16 @@ | |
203 | ||
204 | $whoami .= "[$$]" if our $lo_pid; | |
205 | ||
206 | - $mask =~ s/(?<!%)%m/$!/g; | |
207 | + if ($mask =~ /%m/) { | |
208 | + my $err = $!; | |
209 | + # escape percent signs if sprintf will be called | |
210 | + $err =~ s/%/%%/g if @_; | |
211 | + # replace %m with $err, if preceded by an even number of percent signs | |
212 | + $mask =~ s/(?<!%)((?:%%)*)%m/$1$err/g; | |
213 | + } | |
214 | + | |
215 | $mask .= "\n" unless $mask =~ /\n$/; | |
216 | - $message = sprintf ($mask, @_); | |
217 | + $message = @_ ? sprintf($mask, @_) : $mask; | |
218 | ||
219 | $sum = $numpri + $numfac; | |
220 | my $buf = "<$sum>$whoami: $message\0"; | |
221 | --- perl-5.8.7/opcode.pl.CVE-2005-3962-bz174684 2004-12-01 08:54:30.000000000 -0500 | |
222 | +++ perl-5.8.7/opcode.pl 2005-12-14 12:40:55.000000000 -0500 | |
223 | @@ -606,7 +606,7 @@ | |
224 | index index ck_index isT@ S S S? | |
225 | rindex rindex ck_index isT@ S S S? | |
226 | ||
227 | -sprintf sprintf ck_fun mfst@ S L | |
228 | +sprintf sprintf ck_fun mst@ S L | |
229 | formline formline ck_fun ms@ S L | |
230 | ord ord ck_fun ifsTu% S? | |
231 | chr chr ck_fun fsTu% S? | |
232 | --- perl-5.8.7/handy.h.CVE-2005-3962-bz174684 2005-04-20 12:33:28.000000000 -0400 | |
233 | +++ perl-5.8.7/handy.h 2005-12-14 12:40:55.000000000 -0500 | |
234 | @@ -598,91 +598,65 @@ | |
235 | ||
236 | =cut */ | |
237 | ||
238 | -#ifndef lint | |
239 | - | |
240 | #define NEWSV(x,len) newSV(len) | |
241 | ||
242 | #ifdef PERL_MALLOC_WRAP | |
243 | #define MEM_WRAP_CHECK(n,t) \ | |
244 | - (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0) | |
245 | + (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0) | |
246 | #define MEM_WRAP_CHECK_1(n,t,a) \ | |
247 | - (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0) | |
248 | + (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0) | |
249 | #define MEM_WRAP_CHECK_2(n,t,a,b) \ | |
250 | - (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0) | |
251 | + (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0) | |
252 | +#define MEM_WRAP_CHECK_(n,t) MEM_WRAP_CHECK(n,t), | |
253 | ||
254 | -#define New(x,v,n,t) (v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))) | |
255 | -#define Newc(x,v,n,t,c) (v = (MEM_WRAP_CHECK(n,t), (c*)safemalloc((MEM_SIZE)((n)*sizeof(t))))) | |
256 | -#define Newz(x,v,n,t) (v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \ | |
257 | - memzero((char*)(v), (n)*sizeof(t)) | |
258 | -#define Renew(v,n,t) \ | |
259 | - (v = (MEM_WRAP_CHECK(n,t), (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))) | |
260 | -#define Renewc(v,n,t,c) \ | |
261 | - (v = (MEM_WRAP_CHECK(n,t), (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))) | |
262 | -#define Safefree(d) safefree((Malloc_t)(d)) | |
263 | - | |
264 | -#define Move(s,d,n,t) (MEM_WRAP_CHECK(n,t), (void)memmove((char*)(d),(char*)(s), (n) * sizeof(t))) | |
265 | -#define Copy(s,d,n,t) (MEM_WRAP_CHECK(n,t), (void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t))) | |
266 | -#define Zero(d,n,t) (MEM_WRAP_CHECK(n,t), (void)memzero((char*)(d), (n) * sizeof(t))) | |
267 | - | |
268 | -#define MoveD(s,d,n,t) (MEM_WRAP_CHECK(n,t), memmove((char*)(d),(char*)(s), (n) * sizeof(t))) | |
269 | -#define CopyD(s,d,n,t) (MEM_WRAP_CHECK(n,t), memcpy((char*)(d),(char*)(s), (n) * sizeof(t))) | |
270 | -#ifdef HAS_MEMSET | |
271 | -#define ZeroD(d,n,t) (MEM_WRAP_CHECK(n,t), memzero((char*)(d), (n) * sizeof(t))) | |
272 | -#else | |
273 | -/* Using bzero(), which returns void. */ | |
274 | -#define ZeroD(d,n,t) (MEM_WRAP_CHECK(n,t), memzero((char*)(d), (n) * sizeof(t)),d) | |
275 | -#endif | |
276 | - | |
277 | -#define Poison(d,n,t) (MEM_WRAP_CHECK(n,t), (void)memset((char*)(d), 0xAB, (n) * sizeof(t))) | |
278 | +#define PERL_STRLEN_ROUNDUP(n) ((void)(((n) > (MEM_SIZE)~0 - 2 * PERL_STRLEN_ROUNDUP_QUANTUM) ? (Perl_croak_nocontext(PL_memory_wrap),0):0),((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1))) | |
279 | ||
280 | #else | |
281 | ||
282 | #define MEM_WRAP_CHECK(n,t) | |
283 | #define MEM_WRAP_CHECK_1(n,t,a) | |
284 | #define MEM_WRAP_CHECK_2(n,t,a,b) | |
285 | +#define MEM_WRAP_CHECK_(n,t) | |
286 | + | |
287 | +#define PERL_STRLEN_ROUNDUP(n) (((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1))) | |
288 | ||
289 | -#define New(x,v,n,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))) | |
290 | -#define Newc(x,v,n,t,c) (v = (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))) | |
291 | -#define Newz(x,v,n,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))), \ | |
292 | +#endif | |
293 | + | |
294 | +#define Newx(v,n,t) (v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))) | |
295 | +#define Newxc(v,n,t,c) (v = (MEM_WRAP_CHECK_(n,t) (c*)safemalloc((MEM_SIZE)((n)*sizeof(t))))) | |
296 | +#define Newxz(v,n,t) (v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \ | |
297 | memzero((char*)(v), (n)*sizeof(t)) | |
298 | +/* pre 5.9.x compatibility */ | |
299 | +#define New(x,v,n,t) Newx(v,n,t) | |
300 | +#define Newc(x,v,n,t,c) Newxc(v,n,t,c) | |
301 | +#define Newz(x,v,n,t) Newxz(v,n,t) | |
302 | + | |
303 | #define Renew(v,n,t) \ | |
304 | - (v = (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))) | |
305 | + (v = (MEM_WRAP_CHECK_(n,t) (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))) | |
306 | #define Renewc(v,n,t,c) \ | |
307 | - (v = (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))) | |
308 | -#define Safefree(d) safefree((Malloc_t)(d)) | |
309 | - | |
310 | -#define Move(s,d,n,t) (void)memmove((char*)(d),(char*)(s), (n) * sizeof(t)) | |
311 | -#define Copy(s,d,n,t) (void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t)) | |
312 | -#define Zero(d,n,t) (void)memzero((char*)(d), (n) * sizeof(t)) | |
313 | + (v = (MEM_WRAP_CHECK_(n,t) (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))) | |
314 | ||
315 | -#define MoveD(s,d,n,t) memmove((char*)(d),(char*)(s), (n) * sizeof(t)) | |
316 | -#define CopyD(s,d,n,t) memcpy((char*)(d),(char*)(s), (n) * sizeof(t)) | |
317 | -#ifdef HAS_MEMSET | |
318 | -#define ZeroD(d,n,t) memzero((char*)(d), (n) * sizeof(t)) | |
319 | +#ifdef PERL_POISON | |
320 | +#define Safefree(d) \ | |
321 | + (d ? (void)(safefree((Malloc_t)(d)), Poison(&(d), 1, Malloc_t)) : (void) 0) | |
322 | #else | |
323 | -#define ZeroD(d,n,t) ((void)memzero((char*)(d), (n) * sizeof(t)),d) | |
324 | +#define Safefree(d) safefree((Malloc_t)(d)) | |
325 | #endif | |
326 | ||
327 | -#define Poison(d,n,t) (void)memset((char*)(d), 0xAB, (n) * sizeof(t)) | |
328 | +#define Move(s,d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memmove((char*)(d),(const char*)(s), (n) * sizeof(t))) | |
329 | +#define Copy(s,d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memcpy((char*)(d),(const char*)(s), (n) * sizeof(t))) | |
330 | +#define Zero(d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memzero((char*)(d), (n) * sizeof(t))) | |
331 | ||
332 | +#define MoveD(s,d,n,t) (MEM_WRAP_CHECK_(n,t) memmove((char*)(d),(const char*)(s), (n) * sizeof(t))) | |
333 | +#define CopyD(s,d,n,t) (MEM_WRAP_CHECK_(n,t) memcpy((char*)(d),(const char*)(s), (n) * sizeof(t))) | |
334 | +#ifdef HAS_MEMSET | |
335 | +#define ZeroD(d,n,t) (MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t))) | |
336 | +#else | |
337 | +/* Using bzero(), which returns void. */ | |
338 | +#define ZeroD(d,n,t) (MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)),d) | |
339 | #endif | |
340 | ||
341 | -#else /* lint */ | |
342 | - | |
343 | -#define New(x,v,n,s) (v = Null(s *)) | |
344 | -#define Newc(x,v,n,s,c) (v = Null(s *)) | |
345 | -#define Newz(x,v,n,s) (v = Null(s *)) | |
346 | -#define Renew(v,n,s) (v = Null(s *)) | |
347 | -#define Move(s,d,n,t) | |
348 | -#define Copy(s,d,n,t) | |
349 | -#define Zero(d,n,t) | |
350 | -#define MoveD(s,d,n,t) d | |
351 | -#define CopyD(s,d,n,t) d | |
352 | -#define ZeroD(d,n,t) d | |
353 | -#define Poison(d,n,t) | |
354 | -#define Safefree(d) (d) = (d) | |
355 | - | |
356 | -#endif /* lint */ | |
357 | +#define Poison(d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memset((char*)(d), 0xAB, (n) * sizeof(t))) | |
358 | ||
359 | #ifdef USE_STRUCT_COPY | |
360 | #define StructCopy(s,d,t) (*((t*)(d)) = *((t*)(s))) | |
361 | --- perl-5.8.7/perl.h.CVE-2005-3962-bz174684 2005-12-14 12:40:55.000000000 -0500 | |
362 | +++ perl-5.8.7/perl.h 2005-12-14 12:40:55.000000000 -0500 | |
363 | @@ -720,6 +720,13 @@ | |
364 | ||
365 | #define MEM_SIZE Size_t | |
366 | ||
367 | +/* Round all values passed to malloc up, by default to a multiple of | |
368 | + sizeof(size_t) | |
369 | +*/ | |
370 | +#ifndef PERL_STRLEN_ROUNDUP_QUANTUM | |
371 | +#define PERL_STRLEN_ROUNDUP_QUANTUM Size_t_size | |
372 | +#endif | |
373 | + | |
374 | #if defined(STANDARD_C) && defined(I_STDDEF) | |
375 | # include <stddef.h> | |
376 | # define STRUCT_OFFSET(s,m) offsetof(s,m) | |
377 | @@ -3332,10 +3339,8 @@ | |
378 | INIT("\"my\" variable %s can't be in a package"); | |
379 | EXTCONST char PL_no_localize_ref[] | |
380 | INIT("Can't localize through a reference"); | |
381 | -#ifdef PERL_MALLOC_WRAP | |
382 | EXTCONST char PL_memory_wrap[] | |
383 | INIT("panic: memory wrap"); | |
384 | -#endif | |
385 | ||
386 | EXTCONST char PL_uuemap[65] | |
387 | INIT("`!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_"); | |
388 | --- perl-5.8.7/sv.c.CVE-2005-3962-bz174684 2005-05-27 06:38:11.000000000 -0400 | |
389 | +++ perl-5.8.7/sv.c 2005-12-14 12:48:45.000000000 -0500 | |
390 | @@ -8589,9 +8589,12 @@ | |
391 | if (vectorarg) { | |
392 | if (args) | |
393 | vecsv = va_arg(*args, SV*); | |
394 | - else | |
395 | - vecsv = (evix ? evix <= svmax : svix < svmax) ? | |
396 | - svargs[evix ? evix-1 : svix++] : &PL_sv_undef; | |
397 | + else if (evix) { | |
398 | + vecsv = (evix > 0 && evix <= svmax) | |
399 | + ? svargs[evix-1] : &PL_sv_undef; | |
400 | + } else { | |
401 | + vecsv = svix < svmax ? svargs[svix++] : &PL_sv_undef; | |
402 | + } | |
403 | dotstr = SvPVx(vecsv, dotstrlen); | |
404 | if (DO_UTF8(vecsv)) | |
405 | is_utf8 = TRUE; | |
406 | @@ -8601,12 +8604,13 @@ | |
407 | vecstr = (U8*)SvPVx(vecsv,veclen); | |
408 | vec_utf8 = DO_UTF8(vecsv); | |
409 | } | |
410 | - else if (efix ? efix <= svmax : svix < svmax) { | |
411 | + else if (efix ? (efix > 0 && efix <= svmax) : svix < svmax) { | |
412 | vecsv = svargs[efix ? efix-1 : svix++]; | |
413 | vecstr = (U8*)SvPVx(vecsv,veclen); | |
414 | vec_utf8 = DO_UTF8(vecsv); | |
415 | } | |
416 | else { | |
417 | + vecsv = &PL_sv_undef; | |
418 | vecstr = (U8*)""; | |
419 | veclen = 0; | |
420 | } | |
421 | @@ -8707,9 +8711,15 @@ | |
422 | ||
423 | if (vectorize) | |
424 | argsv = vecsv; | |
425 | - else if (!args) | |
426 | - argsv = (efix ? efix <= svmax : svix < svmax) ? | |
427 | - svargs[efix ? efix-1 : svix++] : &PL_sv_undef; | |
428 | + else if (!args) { | |
429 | + if (efix) { | |
430 | + const I32 i = efix-1; | |
431 | + argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef; | |
432 | + } else { | |
433 | + argsv = (svix >= 0 && svix < svmax) | |
434 | + ? svargs[svix++] : &PL_sv_undef; | |
435 | + } | |
436 | + } | |
437 | ||
438 | switch (c = *q++) { | |
439 | ||
440 | @@ -8972,6 +8982,8 @@ | |
441 | *--eptr = '0'; | |
442 | break; | |
443 | case 2: | |
444 | + if (!uv) | |
445 | + alt = FALSE; | |
446 | do { | |
447 | dig = uv & 1; | |
448 | *--eptr = '0' + dig; | |
449 | @@ -9274,6 +9286,8 @@ | |
450 | ||
451 | /* calculate width before utf8_upgrade changes it */ | |
452 | have = esignlen + zeros + elen; | |
453 | + if (have < zeros) | |
454 | + Perl_croak_nocontext(PL_memory_wrap); | |
455 | ||
456 | if (is_utf8 != has_utf8) { | |
457 | if (is_utf8) { | |
458 | @@ -9301,6 +9315,9 @@ | |
459 | need = (have > width ? have : width); | |
460 | gap = need - have; | |
461 | ||
462 | + if (need >= (((STRLEN)~0) - SvCUR(sv) - dotstrlen - 1)) | |
463 | + Perl_croak_nocontext(PL_memory_wrap); | |
464 | + | |
465 | SvGROW(sv, SvCUR(sv) + need + dotstrlen + 1); | |
466 | p = SvEND(sv); | |
467 | if (esignlen && fill == '0') { | |
468 | --- perl-5.8.7/globvar.sym.CVE-2005-3962-bz174684 2000-08-14 11:22:14.000000000 -0400 | |
469 | +++ perl-5.8.7/globvar.sym 2005-12-14 12:51:12.000000000 -0500 | |
470 | @@ -66,3 +66,4 @@ | |
471 | vtbl_collxfrm | |
472 | vtbl_amagic | |
473 | vtbl_amagicelem | |
474 | +memory_wrap |