From 8c01fabbb490ec09203901dab8d61134a5d4b1d7 Mon Sep 17 00:00:00 2001 From: Petr Písař Date: Jul 18 2019 14:58:46 +0000 Subject: Prevent from wrapping a width in a numeric format string --- diff --git a/perl-5.31.0-perl-133913-limit-numeric-format-results-to-INT_MAX.patch b/perl-5.31.0-perl-133913-limit-numeric-format-results-to-INT_MAX.patch new file mode 100644 index 0000000..c1813fd --- /dev/null +++ b/perl-5.31.0-perl-133913-limit-numeric-format-results-to-INT_MAX.patch @@ -0,0 +1,73 @@ +From 027471cf1095f75f273df40310e4647fe1e8a9df Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Wed, 20 Mar 2019 16:47:49 +1100 +Subject: [PATCH] (perl #133913) limit numeric format results to INT_MAX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The return value of v?snprintf() is int, and we pay attention to that +return value, so limit the expected size of numeric formats to +INT_MAX. + +Signed-off-by: Petr Písař +--- + pod/perldiag.pod | 6 ++++++ + sv.c | 7 +++++++ + t/op/sprintf2.t | 7 +++++++ + 3 files changed, 20 insertions(+) + +diff --git a/pod/perldiag.pod b/pod/perldiag.pod +index 1037215d44..166d29b4bb 100644 +--- a/pod/perldiag.pod ++++ b/pod/perldiag.pod +@@ -4354,6 +4354,12 @@ the meantime, try using scientific notation (e.g. "1e6" instead of + a number. This happens, for example with C<\o{}>, with no number between + the braces. + ++=item Numeric format result too large ++ ++(F) The length of the result of a numeric format supplied to sprintf() ++or printf() would have been too large for the underlying C function to ++report. This limit is typically 2GB. ++ + =item Octal number > 037777777777 non-portable + + (W portable) The octal number you specified is larger than 2**32-1 +diff --git a/sv.c b/sv.c +index 8fbca52eb2..8bc0af0c16 100644 +--- a/sv.c ++++ b/sv.c +@@ -13085,6 +13085,13 @@ Perl_sv_vcatpvfn_flags(pTHX_ SV *const sv, const char *const pat, const STRLEN p + if (float_need < width) + float_need = width; + ++ if (float_need > INT_MAX) { ++ /* snprintf() returns an int, and we use that return value, ++ so die horribly if the expected size is too large for int ++ */ ++ Perl_croak(aTHX_ "Numeric format result too large"); ++ } ++ + if (PL_efloatsize <= float_need) { + /* PL_efloatbuf should be at least 1 greater than + * float_need to allow a trailing \0 to be returned by +diff --git a/t/op/sprintf2.t b/t/op/sprintf2.t +index 84259a4afd..5fee8efede 100644 +--- a/t/op/sprintf2.t ++++ b/t/op/sprintf2.t +@@ -1153,4 +1153,11 @@ foreach( + is sprintf("%.0f", $_), sprintf("%-.0f", $_), "special-case %.0f on $_"; + } + ++# large uvsize needed so the large width is parsed properly ++# large sizesize needed so the STRLEN check doesn't ++if ($Config{intsize} == 4 && $Config{uvsize} > 4 && $Config{sizesize} > 4) { ++ eval { my $x = sprintf("%7000000000E", 0) }; ++ like($@, qr/^Numeric format result too large at /, ++ "croak for very large numeric format results"); ++} + done_testing(); +-- +2.20.1 + diff --git a/perl.spec b/perl.spec index 2bb2f6b..1c2de8b 100644 --- a/perl.spec +++ b/perl.spec @@ -292,6 +292,10 @@ Patch75: perl-5.31.0-perl-122112-remove-some-interfering-debug-output.pat Patch76: perl-5.31.0-134008-More-carefully-ignore-negative-precision-in-s.patch Patch77: perl-5.31.0-perl-134008-an-alternative-test.patch +# Prevent from wrapping a width in a numeric format string, RT#133913, +# fixed after 5.31.0 +Patch78: perl-5.31.0-perl-133913-limit-numeric-format-results-to-INT_MAX.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2914,6 +2918,7 @@ Perl extension for Version Objects %patch75 -p1 %patch76 -p1 %patch77 -p1 +%patch78 -p1 %patch200 -p1 %patch201 -p1 @@ -2975,6 +2980,7 @@ perl -x patchlevel.h \ 'Fedora Patch75: Fix a crash in SIGALARM handler when waiting on a child process to be closed (RT#122112)' \ 'Fedora Patch76: Fix a crash with a negative precision in sprintf function (RT#134008)' \ 'Fedora Patch77: Fix a crash with a negative precision in sprintf function (RT#134008)' \ + 'Fedora Patch78: Prevent from wrapping a width in a numeric format string (RT#133913)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5268,6 +5274,7 @@ popd - Fix a crash in SIGALARM handler when waiting on a child process to be closed (RT#122112) - Fix a crash with a negative precision in sprintf function (RT#134008) +- Prevent from wrapping a width in a numeric format string (RT#133913) * Tue Apr 23 2019 Jitka Plesnikova - 4:5.28.2-431 - 5.28.2 bump (see