diff options
author | root <root@rshg054.dnsready.net> | 2013-03-11 00:04:02 -0700 |
---|---|---|
committer | root <root@rshg054.dnsready.net> | 2013-03-11 00:04:02 -0700 |
commit | ef17357a9745e05e301b724d13a341067ddb3d5b (patch) | |
tree | 676472a92698122808799ec6539e332e4cbb9ce4 /core/perl/CVE-2013-1667.patch | |
parent | 6ee08d6a9217906f2ef84f70923d3d362d4b40ad (diff) |
Mon Mar 11 00:04:02 PDT 2013
Diffstat (limited to 'core/perl/CVE-2013-1667.patch')
-rw-r--r-- | core/perl/CVE-2013-1667.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/core/perl/CVE-2013-1667.patch b/core/perl/CVE-2013-1667.patch new file mode 100644 index 000000000..8a8f98d32 --- /dev/null +++ b/core/perl/CVE-2013-1667.patch @@ -0,0 +1,50 @@ +commit 9ec0b001b87d32f1d39b038b72846a5c20417be3 (refs/remotes/origin/maint-5.16) +Author: Andy Dougherty <doughera@lafayette.edu> +Date: Wed Jan 16 12:30:43 2013 -0500 + + Avoid wraparound when casting unsigned size_t to signed ssize_t. + + Practically, this only affects a perl compiled with 64-bit IVs on a 32-bit + system. In that instance a value of count >= 2**31 would turn negative + when cast to (ssize_t). + +diff --git a/perlio.c b/perlio.c +index 7782728..cccfdcd 100644 +--- a/perlio.c ++++ b/perlio.c +@@ -2164,7 +2164,7 @@ PerlIOBase_read(pTHX_ PerlIO *f, void *vbuf, Size_t count) + SSize_t avail = PerlIO_get_cnt(f); + SSize_t take = 0; + if (avail > 0) +- take = ((SSize_t)count < avail) ? (SSize_t)count : avail; ++ take = (((SSize_t) count >= 0) && ((SSize_t)count < avail)) ? (SSize_t)count : avail; + if (take > 0) { + STDCHAR *ptr = PerlIO_get_ptr(f); + Copy(ptr, buf, take, STDCHAR); +@@ -4098,7 +4098,7 @@ PerlIOBuf_unread(pTHX_ PerlIO *f, const void *vbuf, Size_t count) + */ + b->posn -= b->bufsiz; + } +- if (avail > (SSize_t) count) { ++ if ((SSize_t) count >= 0 && avail > (SSize_t) count) { + /* + * If we have space for more than count, just move count + */ +@@ -4148,7 +4148,7 @@ PerlIOBuf_write(pTHX_ PerlIO *f, const void *vbuf, Size_t count) + } + while (count > 0) { + SSize_t avail = b->bufsiz - (b->ptr - b->buf); +- if ((SSize_t) count < avail) ++ if ((SSize_t) count >= 0 && (SSize_t) count < avail) + avail = count; + if (flushptr > buf && flushptr <= buf + avail) + avail = flushptr - buf; +@@ -4423,7 +4423,7 @@ PerlIOPending_read(pTHX_ PerlIO *f, void *vbuf, Size_t count) + { + SSize_t avail = PerlIO_get_cnt(f); + SSize_t got = 0; +- if ((SSize_t)count < avail) ++ if ((SSize_t) count >= 0 && (SSize_t)count < avail) + avail = count; + if (avail > 0) + got = PerlIOBuf_read(aTHX_ f, vbuf, avail); |