diff options
| author | Jasper Lievisse Adriaanse <jasper@cvs.openbsd.org> | 2011-11-01 13:52:22 +0000 |
|---|---|---|
| committer | Jasper Lievisse Adriaanse <jasper@cvs.openbsd.org> | 2011-11-01 13:52:22 +0000 |
| commit | 14f2085f062ff9f0e6bad9eeea31ca66beba96fc (patch) | |
| tree | 4cb2323b678410dc971f9b91ba97aa3f01cc5007 | |
| parent | 1f607e86e96863e5ca0a865953dc55a9d968f440 (diff) | |
Security fix for CVE-2011-2939, Perl decode_xs heap-based buffer overflow.
ok espie@ millert@
| -rw-r--r-- | gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs | 5 | ||||
| -rw-r--r-- | gnu/usr.bin/perl/patchlevel.h | 1 |
2 files changed, 5 insertions, 1 deletions
diff --git a/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs b/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs index 9741626bd31..d4f2e714ca2 100644 --- a/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs +++ b/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs @@ -246,7 +246,10 @@ CODE: This prevents allocating too much in the rogue case of a large input consisting initially of long sequence uft8-byte unicode chars followed by single utf8-byte chars. */ - STRLEN remaining = (e - s)/usize; + /* +1 + fixes Unicode.xs!decode_xs n-byte heap-overflow + */ + STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */ STRLEN max_alloc = remaining + (8*1024*1024); STRLEN est_alloc = remaining * UTF8_MAXLEN; STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */ diff --git a/gnu/usr.bin/perl/patchlevel.h b/gnu/usr.bin/perl/patchlevel.h index ce714e7fef0..da35efdffc0 100644 --- a/gnu/usr.bin/perl/patchlevel.h +++ b/gnu/usr.bin/perl/patchlevel.h @@ -133,6 +133,7 @@ static const char * const local_patches[] = { ,"Updated List::Util to 1.23" ,"CVE-2011-1487" ,"Updated Digest to 1.17" + ,"CVE-2011-2939" #ifdef PERL_GIT_UNCOMMITTED_CHANGES ,"uncommitted-changes" #endif |