46 lines
1.4 KiB
Diff
46 lines
1.4 KiB
Diff
perl:fix for CVE-2010-4777
|
|
|
|
Upstream-Status: Backport
|
|
|
|
The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0,
|
|
5.14.0, and other versions, when running with debugging enabled,
|
|
allows context-dependent attackers to cause a denial of service
|
|
(assertion failure and application exit) via crafted input that
|
|
is not properly handled when using certain regular expressions,
|
|
as demonstrated by causing SpamAssassin and OCSInventory to
|
|
crash.
|
|
|
|
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777
|
|
|
|
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
|
|
--- a/regcomp.c
|
|
+++ b/regcomp.c
|
|
@@ -11868,8 +11868,25 @@ Perl_save_re_context(pTHX)
|
|
|
|
if (gvp) {
|
|
GV * const gv = *gvp;
|
|
- if (SvTYPE(gv) == SVt_PVGV && GvSV(gv))
|
|
- save_scalar(gv);
|
|
+ if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) {
|
|
+ /* this is a copy of save_scalar() without the GETMAGIC call, RT#76538 */
|
|
+ SV ** const sptr = &GvSVn(gv);
|
|
+ SV * osv = *sptr;
|
|
+ SV * nsv = newSV(0);
|
|
+ save_pushptrptr(SvREFCNT_inc_simple(gv),
|
|
+ SvREFCNT_inc(osv), SAVEt_SV);
|
|
+ if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) &&
|
|
+ SvTYPE(osv) != SVt_PVGV) {
|
|
+ if (SvGMAGICAL(osv)) {
|
|
+ const bool oldtainted = PL_tainted;
|
|
+ SvFLAGS(osv) |= (SvFLAGS(osv) &
|
|
+ (SVp_IOK|SVp_NOK|SVp_POK)) >> PRIVSHIFT;
|
|
+ PL_tainted = oldtainted;
|
|
+ }
|
|
+ mg_localize(osv, nsv, 1);
|
|
+ }
|
|
+ *sptr = nsv;
|
|
+ }
|
|
}
|
|
}
|
|
}
|