Re: Bug#698174: perl: double-free in load subroutine for Digest::SHA
On Tue, Jan 22, 2013 at 11:59:17PM +0000, Dominic Hargreaves wrote:
> Having this fix only
> in one of the two places Digest::SHA appears in wheezy is probably
> a Bad Thing, so maybe we should upload a fix for wheezy/perl after all.
Yes, I think we should (FWIW). Along with that, I suppose we need to update
Breaks: libdigest-sha-perl (<< 5.61)
in the perl package to read
Breaks: libdigest-sha-perl (<< 5.71-2)
so that any buggy versions of the libdigest-sha-perl package
can't override the fixed version in the perl package.
While at it, I think the fix for #698320 (signed/unsigned wraparound
on 32-bit platforms) could/should go in too. Release team, would that
be OK with you?
(Upstream patch attached.)
--
Niko Tyni ntyni@debian.org
>From 94e529cc4d56863d7272c254a29eda2b002a4335 Mon Sep 17 00:00:00 2001
From: Andy Dougherty <doughera@lafayette.edu>
Date: Wed, 16 Jan 2013 12:30:43 -0500
Subject: [PATCH] Avoid wraparound when casting unsigned size_t to signed ssize_t.
Practically, this only affects a perl compiled with 64-bit IVs on a 32-bit
system. In that instance a value of count >= 2**31 would turn negative
when cast to (ssize_t).
---
perlio.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/perlio.c b/perlio.c
index 3e6e0a6..5de5e65 100644
--- a/perlio.c
+++ b/perlio.c
@@ -2155,7 +2155,7 @@ PerlIOBase_read(pTHX_ PerlIO *f, void *vbuf, Size_t count)
SSize_t avail = PerlIO_get_cnt(f);
SSize_t take = 0;
if (avail > 0)
- take = ((SSize_t)count < avail) ? (SSize_t)count : avail;
+ take = (((SSize_t) count >= 0) && ((SSize_t)count < avail)) ? (SSize_t)count : avail;
if (take > 0) {
STDCHAR *ptr = PerlIO_get_ptr(f);
Copy(ptr, buf, take, STDCHAR);
@@ -4086,7 +4086,7 @@ PerlIOBuf_unread(pTHX_ PerlIO *f, const void *vbuf, Size_t count)
*/
b->posn -= b->bufsiz;
}
- if (avail > (SSize_t) count) {
+ if ((SSize_t) count >= 0 && avail > (SSize_t) count) {
/*
* If we have space for more than count, just move count
*/
@@ -4136,7 +4136,7 @@ PerlIOBuf_write(pTHX_ PerlIO *f, const void *vbuf, Size_t count)
}
while (count > 0) {
SSize_t avail = b->bufsiz - (b->ptr - b->buf);
- if ((SSize_t) count < avail)
+ if ((SSize_t) count >= 0 && (SSize_t) count < avail)
avail = count;
if (flushptr > buf && flushptr <= buf + avail)
avail = flushptr - buf;
@@ -4411,7 +4411,7 @@ PerlIOPending_read(pTHX_ PerlIO *f, void *vbuf, Size_t count)
{
SSize_t avail = PerlIO_get_cnt(f);
SSize_t got = 0;
- if ((SSize_t)count < avail)
+ if ((SSize_t) count >= 0 && (SSize_t)count < avail)
avail = count;
if (avail > 0)
got = PerlIOBuf_read(aTHX_ f, vbuf, avail);
--
1.7.4.1
Reply to: