rpms
/
perl-Storable
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c-stream-5.26
rpms:c8-stream-5.26
rpms:i8c-stream-5.24
rpms:c8-stream-5.24
rpms:i8c-beta-stream-5.32
rpms:c8-beta-stream-5.32
rpms:i8c-stream-5.32
rpms:c8-stream-5.32
rpms:i8c-stream-5.30
rpms:c8-stream-5.30
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
...
pull from: rpms:c8-stream-5.24
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c-stream-5.26
rpms:c8-stream-5.26
rpms:i8c-stream-5.24
rpms:c8-stream-5.24
rpms:i8c-beta-stream-5.32
rpms:c8-beta-stream-5.32
rpms:i8c-stream-5.32
rpms:c8-stream-5.32
rpms:i8c-stream-5.30
rpms:c8-stream-5.30
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'c8-stream-5.24' have entirely different histories.
c9 ... c8-stream-

13 changed files with 719 additions and 811 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/Storable-3.15.tar.gz SOURCES/Storable-2.51.tar.gz

2
.perl-Storable.metadata
Unescape View File

@ -1 +1 @@
dfd5ef17f9cdca7c246a90cbde7948e4c0168670 SOURCES/Storable-3.15.tar.gz 3ccd6ac2b898aa589ac5c6dd73d6b600f5192a47 SOURCES/Storable-2.51.tar.gz

307
SOURCES/Storable-2.51-Upgrade-to-2.53.patch
Unescape View File

@ -0,0 +1,307 @@
From fd2e79041c553c1220c6eca796293873246c5682 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Wed, 6 May 2015 09:39:53 +0200
Subject: [PATCH] Upgrade to 2.53
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
ChangeLog | 2 +-
MANIFEST | 3 +++
Storable.pm | 6 +++---
t/attach.t | 42 ++++++++++++++++++++++++++++++++++++
t/attach_errors.t | 2 +-
t/canonical.t | 2 +-
t/code.t | 2 +-
t/leaks.t | 34 +++++++++++++++++++++++++++++
t/tied_store.t | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
t/utf8.t | 6 ++++--
10 files changed, 154 insertions(+), 9 deletions(-)
create mode 100644 t/attach.t
create mode 100644 t/leaks.t
create mode 100644 t/tied_store.t
diff --git a/ChangeLog b/ChangeLog
index 4df921e..cbfdbab 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -209,7 +209,7 @@ Fri Jun 7 23:55:41 BST 2002 Nicholas Clark
The bug was introduced as development perl change 16442 (on
2002/05/07), so has been present since 2.00.
Patches to introduce more regression tests to reduce the chance of
- a reoccurence of this sort of goof are always welcome.
+ a reoccurrence of this sort of goof are always welcome.
Thu May 30 20:31:08 BST 2002 Nicholas Clark <nick@ccl4.org>
diff --git a/MANIFEST b/MANIFEST
index 84b72f1..2f5b725 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -9,6 +9,7 @@ ppport.h
README
Storable.pm
Storable.xs
+t/attach.t
t/attach_errors.t
t/attach_singleton.t
t/blessed.t
@@ -33,6 +34,7 @@ t/HAS_OVERLOAD.pm
t/integer.t
t/interwork56.t
t/just_plain_nasty.t
+t/leaks.t
t/lock.t
t/make_56_interwork.pl
t/make_downgrade.pl
@@ -51,6 +53,7 @@ t/threads.t
t/tied.t
t/tied_hook.t
t/tied_items.t
+t/tied_store.t
t/utf8.t
t/utf8hash.t
t/weak.t
diff --git a/Storable.pm b/Storable.pm
index 839c1d1..9d8b621 100644
--- a/Storable.pm
+++ b/Storable.pm
@@ -22,7 +22,7 @@ package Storable; @ISA = qw(Exporter);
use vars qw($canonical $forgive_me $VERSION);
-$VERSION = '2.51';
+$VERSION = '2.53';
BEGIN {
if (eval { local $SIG{__DIE__}; require Log::Agent; 1 }) {
@@ -1088,8 +1088,8 @@ deal with them.
The store functions will C<croak> if they run into such references
unless you set C<$Storable::forgive_me> to some C<TRUE> value. In that
-case, the fatal message is turned in a warning and some
-meaningless string is stored instead.
+case, the fatal message is converted to a warning and some meaningless
+string is stored instead.
Setting C<$Storable::canonical> may not yield frozen strings that
compare equal due to possible stringification of numbers. When the
diff --git a/t/attach.t b/t/attach.t
new file mode 100644
index 0000000..5ffdae5
--- /dev/null
+++ b/t/attach.t
@@ -0,0 +1,42 @@
+#!./perl -w
+#
+# This file tests that Storable correctly uses STORABLE_attach hooks
+
+sub BEGIN {
+ unshift @INC, 't';
+ unshift @INC, 't/compat' if $] < 5.006002;
+ require Config; import Config;
+ if ($ENV{PERL_CORE} and $Config{'extensions'} !~ /\bStorable\b/) {
+ print "1..0 # Skip: Storable was not built\n";
+ exit 0;
+ }
+}
+
+use Test::More tests => 3;
+use Storable ();
+
+{
+ my $destruct_cnt = 0;
+ my $obj = bless {data => 'ok'}, 'My::WithDestructor';
+ my $target = Storable::thaw( Storable::freeze( $obj ) );
+ is( $target->{data}, 'ok', 'We got correct object after freeze/thaw' );
+ is( $destruct_cnt, 0, 'No tmp objects created by Storable' );
+ undef $obj;
+ undef $target;
+ is( $destruct_cnt, 2, 'Only right objects destroyed at the end' );
+
+ package My::WithDestructor;
+
+ sub STORABLE_freeze {
+ my ($self, $clone) = @_;
+ return $self->{data};
+ }
+
+ sub STORABLE_attach {
+ my ($class, $clone, $string) = @_;
+ return bless {data => $string}, 'My::WithDestructor';
+ }
+
+ sub DESTROY { $destruct_cnt++; }
+}
+
diff --git a/t/attach_errors.t b/t/attach_errors.t
index c163ca0..6cebd97 100644
--- a/t/attach_errors.t
+++ b/t/attach_errors.t
@@ -234,7 +234,7 @@ use Storable ();
isa_ok( $thawed->[1], 'My::GoodAttach::MultipleReferences' );
is($thawed->[0], $thawed->[1], 'References to the same object are attached properly');
- is($thawed->[1]{id}, $obj->{id}, 'Object with multiple references attchached properly');
+ is($thawed->[1]{id}, $obj->{id}, 'Object with multiple references attached properly');
package My::GoodAttach::MultipleReferences;
diff --git a/t/canonical.t b/t/canonical.t
index 23e012f..35046de 100644
--- a/t/canonical.t
+++ b/t/canonical.t
@@ -34,7 +34,7 @@ $maxarraysize = 100;
eval { require Digest::MD5; };
$gotmd5 = !$@;
-diag "Will use Digest::MD5" if $gotmd5;
+note "Will use Digest::MD5" if $gotmd5;
# Use Data::Dumper if debugging and it is available to create an ASCII dump
diff --git a/t/code.t b/t/code.t
index c383142..7fc40ba 100644
--- a/t/code.t
+++ b/t/code.t
@@ -102,7 +102,7 @@ is($thawed->{"b"}->(), "JAPH");
$freezed = freeze $obj[2];
$thawed = thaw $freezed;
-is($thawed->(), 42);
+is($thawed->(), (ord "A") == 193 ? -118 : 42);
######################################################################
diff --git a/t/leaks.t b/t/leaks.t
new file mode 100644
index 0000000..06360d6
--- /dev/null
+++ b/t/leaks.t
@@ -0,0 +1,34 @@
+#!./perl
+
+use Test::More;
+use Storable ();
+BEGIN {
+eval "use Test::LeakTrace";
+plan 'skip_all' => 'Test::LeakTrace required for this tests' if $@;
+}
+plan 'tests' => 1;
+
+{
+ my $c = My::Simple->new;
+ my $d;
+ my $freezed = Storable::freeze($c);
+ no_leaks_ok
+ {
+ $d = Storable::thaw($freezed);
+ undef $d;
+ };
+
+ package My::Simple;
+ sub new {
+ my ($class, $arg) = @_;
+ bless {t=>$arg}, $class;
+ }
+ sub STORABLE_freeze {
+ return "abcderfgh";
+ }
+ sub STORABLE_attach {
+ my ($class, $c, $serialized) = @_;
+ return $class->new($serialized);
+ }
+}
+
diff --git a/t/tied_store.t b/t/tied_store.t
new file mode 100644
index 0000000..c657f95
--- /dev/null
+++ b/t/tied_store.t
@@ -0,0 +1,64 @@
+#!./perl
+
+sub BEGIN {
+ unshift @INC, 't';
+ unshift @INC, 't/compat' if $] < 5.006002;
+ require Config; import Config;
+ if ($ENV{PERL_CORE} and $Config{'extensions'} !~ /\bStorable\b/) {
+ print "1..0 # Skip: Storable was not built\n";
+ exit 0;
+ }
+}
+
+use Storable ();
+use Test::More tests => 3;
+
+our $f;
+
+package TIED_HASH;
+
+sub TIEHASH { bless({}, $_[0]) }
+
+sub STORE {
+ $f = Storable::freeze(\$_[2]);
+ 1;
+}
+
+package TIED_ARRAY;
+
+sub TIEARRAY { bless({}, $_[0]) }
+
+sub STORE {
+ $f = Storable::freeze(\$_[2]);
+ 1;
+}
+
+package TIED_SCALAR;
+
+sub TIESCALAR { bless({}, $_[0]) }
+
+sub STORE {
+ $f = Storable::freeze(\$_[1]);
+ 1;
+}
+
+package main;
+
+my($s, @a, %h);
+tie $s, "TIED_SCALAR";
+tie @a, "TIED_ARRAY";
+tie %h, "TIED_HASH";
+
+$f = undef;
+$s = 111;
+is $f, Storable::freeze(\111);
+
+$f = undef;
+$a[3] = 222;
+is $f, Storable::freeze(\222);
+
+$f = undef;
+$h{foo} = 333;
+is $f, Storable::freeze(\333);
+
+1;
diff --git a/t/utf8.t b/t/utf8.t
index fd20ef6..a8dd6cd 100644
--- a/t/utf8.t
+++ b/t/utf8.t
@@ -32,8 +32,10 @@ is($x, ${thaw freeze \$x});
$x = join '', map {chr $_} (0..1023);
is($x, ${thaw freeze \$x});
-# Char in the range 127-255 (probably) in utf8
-$x = chr (175) . chr (256);
+# Char in the range 127-255 (probably) in utf8. This just won't work for
+# EBCDIC for early Perls.
+$x = ($] lt 5.007_003) ? chr(175) : chr(utf8::unicode_to_native(175))
+ . chr (256);
chop $x;
is($x, ${thaw freeze \$x});
--
2.1.0

99
SOURCES/Storable-2.53-Upgrade-to-2.56.patch
Unescape View File

@ -0,0 +1,99 @@
diff --git a/Storable.pm b/Storable.pm
index 9d8b621..c8f6db1 100644
--- a/Storable.pm
+++ b/Storable.pm
@@ -22,7 +22,7 @@ package Storable; @ISA = qw(Exporter);
use vars qw($canonical $forgive_me $VERSION);
-$VERSION = '2.53';
+$VERSION = '2.56';
BEGIN {
if (eval { local $SIG{__DIE__}; require Log::Agent; 1 }) {
@@ -979,43 +979,43 @@ such.
Here are some code samples showing a possible usage of Storable:
- use Storable qw(store retrieve freeze thaw dclone);
+ use Storable qw(store retrieve freeze thaw dclone);
- %color = ('Blue' => 0.1, 'Red' => 0.8, 'Black' => 0, 'White' => 1);
+ %color = ('Blue' => 0.1, 'Red' => 0.8, 'Black' => 0, 'White' => 1);
- store(\%color, 'mycolors') or die "Can't store %a in mycolors!\n";
+ store(\%color, 'mycolors') or die "Can't store %a in mycolors!\n";
- $colref = retrieve('mycolors');
- die "Unable to retrieve from mycolors!\n" unless defined $colref;
- printf "Blue is still %lf\n", $colref->{'Blue'};
+ $colref = retrieve('mycolors');
+ die "Unable to retrieve from mycolors!\n" unless defined $colref;
+ printf "Blue is still %lf\n", $colref->{'Blue'};
- $colref2 = dclone(\%color);
+ $colref2 = dclone(\%color);
- $str = freeze(\%color);
- printf "Serialization of %%color is %d bytes long.\n", length($str);
- $colref3 = thaw($str);
+ $str = freeze(\%color);
+ printf "Serialization of %%color is %d bytes long.\n", length($str);
+ $colref3 = thaw($str);
which prints (on my machine):
- Blue is still 0.100000
- Serialization of %color is 102 bytes long.
+ Blue is still 0.100000
+ Serialization of %color is 102 bytes long.
Serialization of CODE references and deserialization in a safe
compartment:
=for example begin
- use Storable qw(freeze thaw);
- use Safe;
- use strict;
- my $safe = new Safe;
+ use Storable qw(freeze thaw);
+ use Safe;
+ use strict;
+ my $safe = new Safe;
# because of opcodes used in "use strict":
- $safe->permit(qw(:default require));
- local $Storable::Deparse = 1;
- local $Storable::Eval = sub { $safe->reval($_[0]) };
- my $serialized = freeze(sub { 42 });
- my $code = thaw($serialized);
- $code->() == 42;
+ $safe->permit(qw(:default require));
+ local $Storable::Deparse = 1;
+ local $Storable::Eval = sub { $safe->reval($_[0]) };
+ my $serialized = freeze(sub { 42 });
+ my $code = thaw($serialized);
+ $code->() == 42;
=for example end
diff --git a/Storable.xs b/Storable.xs
index e7d0329..83cd001 100644
--- a/Storable.xs
+++ b/Storable.xs
@@ -1667,6 +1667,7 @@ static void free_context(pTHX_ stcxt_t *cxt)
ASSERT(!cxt->s_dirty, ("clean context"));
ASSERT(prev, ("not freeing root context"));
+ assert(prev);
SvREFCNT_dec(cxt->my_sv);
SET_STCXT(prev);
@@ -6677,6 +6678,7 @@ SV * obj
ALIAS:
net_mstore = 1
CODE:
+ RETVAL = &PL_sv_undef;
if (!do_store(aTHX_ (PerlIO*) 0, obj, 0, ix, &RETVAL))
RETVAL = &PL_sv_undef;
OUTPUT:

18
SOURCES/Storable-2.56-CVE-2016-1238-avoid-loading-optional-modules-from.patch
Unescape View File

@ -0,0 +1,18 @@
diff -up Storable/Storable.pm.cve Storable/Storable.pm
--- Storable/Storable.pm.cve 2016-03-19 19:50:47.000000000 +0100
+++ Storable/Storable.pm 2016-08-03 12:48:36.415082280 +0200
@@ -25,7 +25,13 @@ use vars qw($canonical $forgive_me $VERS
$VERSION = '2.56';
BEGIN {
- if (eval { local $SIG{__DIE__}; require Log::Agent; 1 }) {
+ if (eval {
+ local $SIG{__DIE__};
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
+ require Log::Agent;
+ 1;
+ }) {
Log::Agent->import;
}
#

103
SOURCES/Storable-2.56-Fix-stack-buffer-overflow-in-deserialization-of-hook.patch
Unescape View File

@ -0,0 +1,103 @@
From c34e1dd29983e5d36d367462b9b4b4b8fcd5a0f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 6 Feb 2017 15:13:41 +0100
Subject: [PATCH] Fix stack buffer overflow in deserialization of hooks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ported from perl:
commit 3e998ddfb597cfae7bdb460b22e6c50440b1de92
Author: John Lightsey <jd@cpanel.net>
Date: Tue Jan 24 10:30:18 2017 -0600
Fix stack buffer overflow in deserialization of hooks.
The use of signed lengths resulted in a stack overflow in retrieve_hook()
when a negative length was provided in the storable data.
The retrieve_blessed() codepath had a similar problem with the placement
of the trailing null byte when negative lengths were provided.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
Storable.xs | 11 +++++++++--
t/store.t | 12 +++++++++++-
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/Storable.xs b/Storable.xs
index bc15d1d..3cce3ed 100644
--- a/Storable.xs
+++ b/Storable.xs
@@ -4016,7 +4016,7 @@ static SV *retrieve_idx_blessed(pTHX_ stcxt_t *cxt, const char *cname)
*/
static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
{
- I32 len;
+ U32 len;
SV *sv;
char buf[LG_BLESS + 1]; /* Avoid malloc() if possible */
char *classname = buf;
@@ -4037,6 +4037,9 @@ static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
if (len & 0x80) {
RLEN(len);
TRACEME(("** allocating %d bytes for class name", len+1));
+ if (len > I32_MAX) {
+ CROAK(("Corrupted classname length"));
+ }
New(10003, classname, len+1, char);
malloced_classname = classname;
}
@@ -4087,7 +4090,7 @@ static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
*/
static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
{
- I32 len;
+ U32 len;
char buf[LG_BLESS + 1]; /* Avoid malloc() if possible */
char *classname = buf;
unsigned int flags;
@@ -4221,6 +4224,10 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
else
GETMARK(len);
+ if (len > I32_MAX) {
+ CROAK(("Corrupted classname length"));
+ }
+
if (len > LG_BLESS) {
TRACEME(("** allocating %d bytes for class name", len+1));
New(10003, classname, len+1, char);
diff --git a/t/store.t b/t/store.t
index be43299..1cbf021 100644
--- a/t/store.t
+++ b/t/store.t
@@ -19,7 +19,7 @@ sub BEGIN {
use Storable qw(store retrieve store_fd nstore_fd fd_retrieve);
-use Test::More tests => 21;
+use Test::More tests => 22;
$a = 'toto';
$b = \$a;
@@ -87,5 +87,15 @@ is(&dump($r), &dump(\%a));
eval { $r = fd_retrieve(::OUT); };
isnt($@, '');
+{
+
+ my $frozen =
+ "\x70\x73\x74\x30\x04\x0a\x08\x31\x32\x33\x34\x35\x36\x37\x38\x04\x08\x08\x08\x03\xff\x00\x00\x00\x19\x08\xff\x00\x00\x00\x08\x08\xf9\x16\x16\x13\x16\x10\x10\x10\xff\x15\x16\x16\x16\x1e\x16\x16\x16\x16\x16\x16\x16\x16\x16\x16\x13\xf0\x16\x16\x16\xfe\x16\x41\x41\x41\x41\xe8\x03\x41\x41\x41\x41\x41\x41\x41\x41\x51\x41\xa9\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xb8\xac\xac\xac\xac\xac\xac\xac\xac\x9a\xac\xac\xac\xac\xac\xac\xac\xac\xac\x93\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\x00\x64\xac\xa8\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\x2c\xac\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x80\x41\x80\x41\x41\x41\x41\x41\x41\x51\x41\xac\xac\xac";
+ open my $fh, '<', \$frozen;
+ eval { Storable::fd_retrieve($fh); };
+ pass('RT 130635: no stack smashing error when retrieving hook');
+
+}
+
close OUT or die "Could not close: $!";
END { 1 while unlink 'store' }
--
2.7.4

81
SOURCES/Storable-2.56-prevent-leak-of-class-name-from-retrieve_hook-on-an-.patch
Unescape View File

@ -0,0 +1,81 @@
From 979ae704ddc9e6f19d8dbf7a83bea155065ef3cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 6 Feb 2017 15:26:09 +0100
Subject: [PATCH] prevent leak of class name from retrieve_hook() on an
exception
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ported from perl:
commit da1ec2b1b9abdfd956d9c539abf39d908d046304
Author: Tony Cook <tony@develop-help.com>
Date: Mon Feb 6 11:38:10 2017 +1100
prevent leak of class name from retrieve_hook() on an exception
If supplied with a large class name, retrieve_hook() allocates
buffer for the class name and Safefree()s it on exit path.
Unfortunately this memory leaks if load_module() (or a couple of other
code paths) throw an exception.
So use SAVEFREEPV() to release the memory instead.
==20183== 193 bytes in 1 blocks are definitely lost in loss record 4 of 6
==20183== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20183== by 0x55F85D: Perl_safesysmalloc (util.c:153)
==20183== by 0x6ACA046: retrieve_hook (Storable.xs:4265)
==20183== by 0x6AD6D19: retrieve (Storable.xs:6217)
==20183== by 0x6AD8144: do_retrieve (Storable.xs:6401)
==20183== by 0x6AD85B7: pretrieve (Storable.xs:6506)
==20183== by 0x6AD8E14: XS_Storable_pretrieve (Storable.xs:6718)
==20183== by 0x5C176D: Perl_pp_entersub (pp_hot.c:4227)
==20183== by 0x55E1C6: Perl_runops_debug (dump.c:2450)
==20183== by 0x461B79: S_run_body (perl.c:2528)
==20183== by 0x46115C: perl_run (perl.c:2451)
==20183== by 0x41F1CD: main (perlmain.c:123)
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
Storable.xs | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/Storable.xs b/Storable.xs
index 3cce3ed..75ce3df 100644
--- a/Storable.xs
+++ b/Storable.xs
@@ -4249,6 +4249,11 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
TRACEME(("class name: %s", classname));
+ if (!(flags & SHF_IDX_CLASSNAME) && classname != buf) {
+ /* some execution paths can throw an exception */
+ SAVEFREEPV(classname);
+ }
+
/*
* Decode user-frozen string length and read it in an SV.
*
@@ -4367,8 +4372,6 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
SEEN0(sv, 0);
SvRV_set(attached, NULL);
SvREFCNT_dec(attached);
- if (!(flags & SHF_IDX_CLASSNAME) && classname != buf)
- Safefree(classname);
return sv;
}
CROAK(("STORABLE_attach did not return a %s object", classname));
@@ -4449,8 +4452,6 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
SvREFCNT_dec(frozen);
av_undef(av);
sv_free((SV *) av);
- if (!(flags & SHF_IDX_CLASSNAME) && classname != buf)
- Safefree(classname);
/*
* If we had an <extra> type, then the object was not as simple, and
--
2.7.4

476
SOURCES/Storable-3.15-Upgrade-to-3.21.patch
Unescape View File

@ -1,476 +0,0 @@
From 0452589669aed9ad06940de7c1620b340608868a Mon Sep 17 00:00:00 2001
From: Jitka Plesnikova <jplesnik@redhat.com>
Date: Mon, 1 Jun 2020 12:58:11 +0200
Subject: [PATCH] Upgrade to 3.21
---
ChangeLog | 33 ++++++++++++++++++-
MANIFEST | 3 +-
Makefile.PL | 59 +++++++++++++---------------------
__Storable__.pm => Storable.pm | 23 +++++++------
Storable.pm.PL | 35 --------------------
Storable.xs | 20 ++++++++----
stacksize | 2 +-
t/attach_errors.t | 2 +-
t/huge.t | 4 +--
t/recurse.t | 4 +--
t/regexp.t | 8 ++---
11 files changed, 93 insertions(+), 100 deletions(-)
rename __Storable__.pm => Storable.pm (99%)
delete mode 100644 Storable.pm.PL
diff --git a/ChangeLog b/ChangeLog
index 0488199..bf35381 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,34 @@
+2010-01-27 10:27:00 TonyC
+ version 3.20
+ * fix a format string and arguments for some debugging text
+ * linkify references to alternatives to Storable
+
+2020-01-27 11:01:00 TonyC
+ version 3.19
+ * add casts to match some I32 parameters to "%d" formats (#17339)
+ * fix dependencies in Makefile.PL -> META (#17422)
+ * make use of note() optional, this requires a newer version of
+ Test::More and there's a circular dependency between later
+ versions of Test::More and Storable (#17422)
+
+2019-11-19 07:59:39 TonyC
+ version 3.18
+ * update bug tracker to point at github (#17298)
+ * disallow vstring magic strings over 2GB-1 (#17306)
+ * mark some ASCII dependent tests as ASCII platform only
+
+2019-08-08 11:48:00 TonyC
+ version 3.17
+ * correct a data type to ensure the check for too large results from
+ STORABLE_freeze() are detected correctly (detected by Coverity)
+ * removed remains of stack size detection from the build process.
+ * moved CAN_FLOCK detection into XS to simplify the build process.
+
+2019-06-11 10:43:00 TonyC
+ version 3.16
+ * (perl #134179) fix self-referencing structures that include regexps
+ * bless regexps to preserve bless qr//, "Foo"
+
2019-04-23 16:00:00 xsawyerx
version 3.15
* Fix leaking.
@@ -341,7 +372,7 @@ Sat Mar 13 20:11:03 GMT 2004 Nicholas Clark <nick@ccl4.org>
Version 2.11
1. Storing restricted hashes in canonical order would SEGV. Fixed.
- 2. It was impossible to retrieve references to PL_sv_no and and
+ 2. It was impossible to retrieve references to PL_sv_no and
PL_sv_undef from STORABLE_thaw hooks.
3. restrict.t was failing on 5.8.0, due to 5.8.0's unique
implementation of restricted hashes using PL_sv_undef
diff --git a/MANIFEST b/MANIFEST
index d30b94e..5e382d9 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1,4 +1,3 @@
-__Storable__.pm
ChangeLog
hints/gnukfreebsd.pl
hints/gnuknetbsd.pl
@@ -11,7 +10,7 @@ META.yml Module meta-data (added by MakeMaker)
ppport.h
README
stacksize
-Storable.pm.PL
+Storable.pm
Storable.xs
t/attach.t
t/attach_errors.t
diff --git a/Makefile.PL b/Makefile.PL
index 4a39125..e03e141 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -10,43 +10,48 @@ use strict;
use warnings;
use ExtUtils::MakeMaker 6.31;
use Config;
-use File::Copy qw(move copy);
-use File::Spec;
-
-my $pm = { 'Storable.pm' => '$(INST_ARCHLIB)/Storable.pm' };
WriteMakefile(
NAME => 'Storable',
AUTHOR => 'Perl 5 Porters',
LICENSE => 'perl',
DISTNAME => "Storable",
-# We now ship this in t/
-# PREREQ_PM => { 'Test::More' => '0.41' },
- PL_FILES => { }, # prevent default behaviour
- PM => $pm,
- PREREQ_PM => { XSLoader => 0 },
+ PREREQ_PM =>
+ {
+ XSLoader => 0,
+ },
+ ( $ExtUtils::MakeMaker::VERSION >= 6.64 ?
+ (
+ CONFIGURE_REQUIRES => {
+ 'ExtUtils::MakeMaker' => '6.31',
+ },
+ BUILD_REQUIRES => {
+ 'ExtUtils::MakeMaker' => '6.31',
+ },
+ TEST_REQUIRES => {
+ 'Test::More' => '0.41',
+ },
+ )
+ : () ),
INSTALLDIRS => ($] >= 5.007 && $] < 5.012) ? 'perl' : 'site',
- VERSION_FROM => '__Storable__.pm',
- ABSTRACT_FROM => '__Storable__.pm',
+ VERSION_FROM => 'Storable.pm',
+ ABSTRACT_FROM => 'Storable.pm',
($ExtUtils::MakeMaker::VERSION > 6.45 ?
(META_MERGE => { resources =>
- { bugtracker => 'http://rt.perl.org/perlbug/' },
+ { bugtracker => 'https://github.com/Perl/perl5/issues' },
provides => {
'Storable' => {
- file => '__Storable__.pm',
- version => MM->parse_version('__Storable__.pm'),
+ file => 'Storable.pm',
+ version => MM->parse_version('Storable.pm'),
},
},
},
) : ()),
dist => { SUFFIX => 'gz', COMPRESS => 'gzip -f' },
- clean => { FILES => 'Storable-* Storable.pm lib' },
+ clean => { FILES => 'Storable-*' },
);
-# Unlink the .pm file included with the distribution
-1 while unlink "Storable.pm";
-
my $ivtype = $Config{ivtype};
# I don't know if the VMS folks ever supported long long on 5.6.x
@@ -67,16 +72,8 @@ in the Storable documentation for instructions on how to read your data.
EOM
}
-# compute the maximum stacksize, before and after linking
package MY;
-# FORCE finish of INST_DYNAMIC, avoid loading the old Storable (failed XS_VERSION check)
-sub xlinkext {
- my $s = shift->SUPER::linkext(@_);
- $s =~ s|( :: .*)| $1 FORCE stacksize|;
- $s
-}
-
sub depend {
"
@@ -87,13 +84,3 @@ release : dist
git push --tags
"
}
-
-sub postamble {
-'
-all :: Storable.pm
- $(NOECHO) $(NOOP)
-
-Storable.pm :: Storable.pm.PL __Storable__.pm
- $(PERLRUN) Storable.pm.PL
-'
-}
diff --git a/__Storable__.pm b/Storable.pm
similarity index 99%
rename from __Storable__.pm
rename to Storable.pm
index 9237371..1a750f1 100644
--- a/__Storable__.pm
+++ b/Storable.pm
@@ -8,7 +8,7 @@
# in the README file that comes with the distribution.
#
-require XSLoader;
+BEGIN { require XSLoader }
require Exporter;
package Storable;
@@ -27,7 +27,9 @@ our @EXPORT_OK = qw(
our ($canonical, $forgive_me);
-our $VERSION = '3.15';
+BEGIN {
+ our $VERSION = '3.21';
+}
our $recursion_limit;
our $recursion_limit_hash;
@@ -104,14 +106,12 @@ $Storable::flags = FLAGS_COMPAT;
$Storable::downgrade_restricted = 1;
$Storable::accept_future_minor = 1;
-XSLoader::load('Storable');
+BEGIN { XSLoader::load('Storable') };
#
# Determine whether locking is possible, but only when needed.
#
-sub CAN_FLOCK; # TEMPLATE - replaced by Storable.pm.PL
-
sub show_file_magic {
print <<EOM;
#
@@ -266,7 +266,7 @@ sub _store {
local *FILE;
if ($use_locking) {
open(FILE, ">>", $file) || logcroak "can't write into $file: $!";
- unless (&CAN_FLOCK) {
+ unless (CAN_FLOCK) {
logcarp
"Storable::lock_store: fcntl/flock emulation broken on $^O";
return undef;
@@ -410,7 +410,7 @@ sub _retrieve {
my $self;
my $da = $@; # Could be from exception handler
if ($use_locking) {
- unless (&CAN_FLOCK) {
+ unless (CAN_FLOCK) {
logcarp
"Storable::lock_store: fcntl/flock emulation broken on $^O";
return undef;
@@ -986,6 +986,9 @@ modifying C<$Storable::recursion_limit> and
C<$Storable::recursion_limit_hash> respectively. Either can be set to
C<-1> to prevent any depth checks, though this isn't recommended.
+If you want to test what the limits are, the F<stacksize> tool is
+included in the C<Storable> distribution.
+
=item *
You can create endless loops if the things you serialize via freeze()
@@ -1224,9 +1227,9 @@ See CVE-2015-1592 and its metasploit module.
If your application requires accepting data from untrusted sources,
you are best off with a less powerful and more-likely safe
serialization format and implementation. If your data is sufficiently
-simple, Cpanel::JSON::XS, Data::MessagePack or Serial are the best
-choices and offers maximum interoperability, but note that Serial is
-unsafe by default.
+simple, L<Cpanel::JSON::XS>, L<Data::MessagePack> or L<Sereal> are the best
+choices and offer maximum interoperability, but note that Sereal is
+L<unsafe by default|Sereal::Decoder/ROBUSTNESS>.
=head1 WARNING
diff --git a/Storable.pm.PL b/Storable.pm.PL
deleted file mode 100644
index df979c0..0000000
--- a/Storable.pm.PL
+++ /dev/null
@@ -1,35 +0,0 @@
-use strict;
-use warnings;
-
-use Config;
-
-my $template;
-{ # keep all the code in an external template to keep it easy to update
- local $/;
- open my $FROM, '<', '__Storable__.pm' or die $!;
- $template = <$FROM>;
- close $FROM or die $!;
-}
-
-sub CAN_FLOCK {
- return
- $Config{'d_flock'} ||
- $Config{'d_fcntl_can_lock'} ||
- $Config{'d_lockf'}
- ? 1 : 0;
-}
-
-my $CAN_FLOCK = CAN_FLOCK();
-
-# populate the sub and preserve it if used outside
-$template =~ s{^sub CAN_FLOCK;.*$}{sub CAN_FLOCK { ${CAN_FLOCK} } # computed by Storable.pm.PL}m;
-# alternatively we could remove the sub
-#$template =~ s{^sub CAN_FLOCK;.*$}{}m;
-# replace local function calls to hardcoded value
-$template =~ s{&CAN_FLOCK}{${CAN_FLOCK}}g;
-
-{
- open my $OUT, '>', 'Storable.pm' or die $!;
- print {$OUT} $template or die $!;
- close $OUT or die $!;
-}
diff --git a/Storable.xs b/Storable.xs
index e1f0b88..4c4c268 100644
--- a/Storable.xs
+++ b/Storable.xs
@@ -104,6 +104,12 @@
# define strEQc(s,c) memEQ(s, ("" c ""), sizeof(c))
#endif
+#if defined(HAS_FLOCK) || defined(FCNTL_CAN_LOCK) && defined(HAS_LOCKF)
+#define CAN_FLOCK &PL_sv_yes
+#else
+#define CAN_FLOCK &PL_sv_no
+#endif
+
#ifdef DEBUGME
#ifndef DASSERT
@@ -726,8 +732,8 @@ static stcxt_t *Context_ptr = NULL;
STRLEN nsz = (STRLEN) round_mgrow((x)+msiz); \
STRLEN offset = mptr - mbase; \
ASSERT(!cxt->membuf_ro, ("mbase is not read-only")); \
- TRACEME(("** extending mbase from %ld to %ld bytes (wants %ld new)", \
- (long)msiz, nsz, (long)(x))); \
+ TRACEME(("** extending mbase from %lu to %lu bytes (wants %lu new)", \
+ (unsigned long)msiz, (unsigned long)nsz, (unsigned long)(x))); \
Renew(mbase, nsz, char); \
msiz = nsz; \
mptr = mbase + offset; \
@@ -3085,7 +3091,7 @@ static int store_hash(pTHX_ stcxt_t *cxt, HV *hv)
len = HEK_LEN(hek);
if (len == HEf_SVKEY) {
/* This is somewhat sick, but the internal APIs are
- * such that XS code could put one of these in in
+ * such that XS code could put one of these in
* a regular hash.
* Maybe we should be capable of storing one if
* found.
@@ -3437,7 +3443,7 @@ static int get_regexp(pTHX_ stcxt_t *cxt, SV* sv, SV **re, SV **flags) {
count = call_sv((SV*)cv, G_ARRAY);
SPAGAIN;
if (count < 2)
- CROAK(("re::regexp_pattern returned only %d results", count));
+ CROAK(("re::regexp_pattern returned only %d results", (int)count));
*flags = POPs;
SvREFCNT_inc(*flags);
*re = POPs;
@@ -5952,7 +5958,7 @@ static SV *retrieve_lvstring(pTHX_ stcxt_t *cxt, const char *cname)
}
New(10003, s, len+1, char);
- SAFEPVREAD(s, len, s);
+ SAFEPVREAD(s, (I32)len, s);
sv = retrieve(aTHX_ cxt, cname);
if (!sv) {
@@ -6858,7 +6864,7 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) {
SPAGAIN;
if (count != 1)
- CROAK(("Bad count %d calling _make_re", count));
+ CROAK(("Bad count %d calling _make_re", (int)count));
re_ref = POPs;
@@ -7807,6 +7813,8 @@ BOOT:
newCONSTSUB(stash, "BIN_MINOR", newSViv(STORABLE_BIN_MINOR));
newCONSTSUB(stash, "BIN_WRITE_MINOR", newSViv(STORABLE_BIN_WRITE_MINOR));
+ newCONSTSUB(stash, "CAN_FLOCK", CAN_FLOCK);
+
init_perinterp(aTHX);
gv_fetchpv("Storable::drop_utf8", GV_ADDMULTI, SVt_PV);
#ifdef DEBUGME
diff --git a/stacksize b/stacksize
index f93eccc..2896684 100644
--- a/stacksize
+++ b/stacksize
@@ -161,7 +161,7 @@ my $max_depth_hash = $n;
# instead so a user setting of either variable more closely matches
# the limits the use sees.
-# be fairly aggressive in trimming this, smoke testing showed several
+# be fairly aggressive in trimming this, smoke testing showed
# several apparently random failures here, eg. working in one
# configuration, but not in a very similar configuration.
$max_depth = int(0.6 * $max_depth);
diff --git a/t/attach_errors.t b/t/attach_errors.t
index 0ed7c8d..e2be39d 100644
--- a/t/attach_errors.t
+++ b/t/attach_errors.t
@@ -94,7 +94,7 @@ use Storable ();
# Error 2
#
# If, for some reason, a STORABLE_attach object is accidentally stored
-# with references, this should be checked and and error should be throw.
+# with references, this should be checked and an error should be thrown.
diff --git a/t/huge.t b/t/huge.t
index d28e238..09b173e 100644
--- a/t/huge.t
+++ b/t/huge.t
@@ -63,7 +63,7 @@ if ($Config{ptrsize} > 4 and !$has_too_many) {
[ 'huge array',
sub { my @x; $x[$huge] = undef; \@x } ];
} else {
- diag "skip huge array, need PERL_TEST_MEMORY >= 8";
+ diag "skip huge array, need PERL_TEST_MEMORY >= 55";
}
}
@@ -78,7 +78,7 @@ if (!$has_too_many) {
['huge hash',
sub { my %x = (0 .. $huge); \%x } ];
} else {
- diag "skip huge hash, need PERL_TEST_MEMORY >= 16";
+ diag "skip huge hash, need PERL_TEST_MEMORY >= 96";
}
}
diff --git a/t/recurse.t b/t/recurse.t
index b5967a0..6f82169 100644
--- a/t/recurse.t
+++ b/t/recurse.t
@@ -347,7 +347,7 @@ sub MAX_DEPTH_HASH () { Storable::stack_depth_hash() }
eval {
my $t;
$t = [$t] for 1 .. MAX_DEPTH*2;
- note 'trying catching recursive aref stack overflow';
+ eval { note('trying catching recursive aref stack overflow') };
dclone $t;
};
like $@, qr/Max\. recursion depth with nested structures exceeded/,
@@ -362,7 +362,7 @@ else {
my $t;
# 35.000 will cause appveyor 64bit windows to fail earlier
$t = {1=>$t} for 1 .. MAX_DEPTH * 2;
- note 'trying catching recursive href stack overflow';
+ eval { note('trying catching recursive href stack overflow') };
dclone $t;
};
like $@, qr/Max\. recursion depth with nested structures exceeded/,
diff --git a/t/regexp.t b/t/regexp.t
index e7c6c7e..6c6b1d5 100644
--- a/t/regexp.t
+++ b/t/regexp.t
@@ -123,7 +123,7 @@ __DATA__
A-; qr(\x2E) ; ".", !"a" ; \x2E - hex meta
-; qr/\./ ; "." , !"a" ; \. - backslash meta
8- ; qr/\x{100}/ ; "\x{100}" ; simple unicode
-12- ; qr/fss/i ; "f\xDF\x{101}" ; case insensive unicode promoted
-22-; qr/fss/ui ; "f\xDF" ; case insensitive unicode SS /iu
-22-; qr/fss/aai ; !"f\xDF" ; case insensitive unicode SS /iaa
-22-; qr/f\w/a ; "fo", !"f\xff" ; simple /a flag
+A12- ; qr/fss/i ; "f\xDF\x{101}" ; case insensive unicode promoted
+A22-; qr/fss/ui ; "f\xDF" ; case insensitive unicode SS /iu
+A22-; qr/fss/aai ; !"f\xDF" ; case insensitive unicode SS /iaa
+A22-; qr/f\w/a ; "fo", !"f\xff" ; simple /a flag
--
2.25.4

92
SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch
Unescape View File

@ -1,92 +0,0 @@
From 16f2ddb794883529d5a3ad8326974a07aae7e567 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 10 Jun 2019 10:17:20 +1000
Subject: [PATCH] (perl #134179) include regexps in the seen objects table on
retrieve
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Also, bless the regexp object, so freezing/thawing bless qr//, "Foo"
returns a "Foo" blesses regexp.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
dist/Storable/Storable.xs | 5 +++--
dist/Storable/t/regexp.t | 4 +++-
dist/Storable/t/weak.t | 10 +++++++++-
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
index ed729c94a6..6a45d8adf2 100644
--- a/dist/Storable/Storable.xs
+++ b/dist/Storable/Storable.xs
@@ -6808,8 +6808,7 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) {
SV *sv;
dSP;
I32 count;
-
- PERL_UNUSED_ARG(cname);
+ HV *stash;
ENTER;
SAVETMPS;
@@ -6857,6 +6856,8 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) {
sv = SvRV(re_ref);
SvREFCNT_inc(sv);
+ stash = cname ? gv_stashpv(cname, GV_ADD) : 0;
+ SEEN_NN(sv, stash, 0);
FREETMPS;
LEAVE;
diff --git a/dist/Storable/t/regexp.t b/dist/Storable/t/regexp.t
index acf28cfec6..e7c6c7e94a 100644
--- a/dist/Storable/t/regexp.t
+++ b/dist/Storable/t/regexp.t
@@ -37,7 +37,7 @@ while (<DATA>) {
}
}
-plan tests => 9 + 3*scalar(@tests);
+plan tests => 10 + 3*scalar(@tests);
SKIP:
{
@@ -75,6 +75,8 @@ SKIP:
ok(!eval { dclone($re) }, "should fail to clone, even with use re 'eval'");
}
+is(ref(dclone(bless qr//, "Foo")), "Foo", "check reblessed regexps");
+
for my $test (@tests) {
my ($code, $not, $match, $matchc, $name) = @$test;
my $qr = eval $code;
diff --git a/dist/Storable/t/weak.t b/dist/Storable/t/weak.t
index 220c70160f..48752fbec4 100644
--- a/dist/Storable/t/weak.t
+++ b/dist/Storable/t/weak.t
@@ -29,7 +29,7 @@ sub BEGIN {
}
use Test::More 'no_plan';
-use Storable qw (store retrieve freeze thaw nstore nfreeze);
+use Storable qw (store retrieve freeze thaw nstore nfreeze dclone);
require 'testlib.pl';
our $file;
use strict;
@@ -143,3 +143,11 @@ foreach (@tests) {
$stored = nfreeze $input;
tester($stored, \&freeze_and_thaw, $testsub, 'network string');
}
+
+{
+ # [perl #134179] sv_upgrade from type 7 down to type 1
+ my $foo = [qr//,[]];
+ weaken($foo->[1][0][0] = $foo->[1]);
+ my $out = dclone($foo); # croaked here
+ is_deeply($out, $foo, "check they match");
+}
--
2.20.1

53
SOURCES/Storable-3.16-Storable-make-count-large-enough.patch
Unescape View File

@ -1,53 +0,0 @@
From f7724052d1b8b75339f5ec2cc3d5b35ca5d130b5 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 7 Aug 2019 11:13:53 +1000
Subject: [PATCH] Storable: make count large enough
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
AvARRAY() could be very large, and we check for that at line 3807,
but int was (potentially) too small to make that comparison
meaningful.
CID 174681.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
dist/Storable/Storable.xs | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
index 6a45d8adf2..d75125b839 100644
--- a/dist/Storable/Storable.xs
+++ b/dist/Storable/Storable.xs
@@ -3662,7 +3662,7 @@ static int store_hook(
SV *ref;
AV *av;
SV **ary;
- int count; /* really len3 + 1 */
+ IV count; /* really len3 + 1 */
unsigned char flags;
char *pv;
int i;
@@ -3752,7 +3752,7 @@ static int store_hook(
SvREFCNT_dec(ref); /* Reclaim temporary reference */
count = AvFILLp(av) + 1;
- TRACEME(("store_hook, array holds %d items", count));
+ TRACEME(("store_hook, array holds %" IVdf " items", count));
/*
* If they return an empty list, it means they wish to ignore the
@@ -3986,7 +3986,7 @@ static int store_hook(
*/
TRACEME(("SX_HOOK (recursed=%d) flags=0x%x "
- "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%d",
+ "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%" IVdf,
recursed, flags, (IV)classnum, (IV)len, (IV)len2, count-1));
/* SX_HOOK <flags> [<extra>] */
--
2.20.1

61
SOURCES/perl-5.25.7-Fix-Storable-segfaults.patch
Unescape View File

@ -0,0 +1,61 @@
From fecd3be8dbdb747b9cbf4cbb9299ce40faabc8e6 Mon Sep 17 00:00:00 2001
From: John Lightsey <lightsey@debian.org>
Date: Mon, 14 Nov 2016 11:56:15 +0100
Subject: [PATCH] Fix Storable segfaults.
Fix a null pointed dereference segfault in storable when the
retrieve_code logic was unable to read the string that contained
the code.
Also fix several locations where retrieve_other was called with a
null context pointer. This also resulted in a null pointer
dereference.
---
dist/Storable/Storable.xs | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
index 053951c..caa489c 100644
--- a/dist/Storable/Storable.xs
+++ b/dist/Storable/Storable.xs
@@ -5647,6 +5647,10 @@ static SV *retrieve_code(pTHX_ stcxt_t *cxt, const char *cname)
CROAK(("Unexpected type %d in retrieve_code\n", type));
}
+ if (!text) {
+ CROAK(("Unable to retrieve code\n"));
+ }
+
/*
* prepend "sub " to the source
*/
@@ -5767,7 +5771,7 @@ static SV *old_retrieve_array(pTHX_ stcxt_t *cxt, const char *cname)
continue; /* av_extend() already filled us with undef */
}
if (c != SX_ITEM)
- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */
+ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */
TRACEME(("(#%d) item", i));
sv = retrieve(aTHX_ cxt, 0); /* Retrieve item */
if (!sv)
@@ -5844,7 +5848,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname)
if (!sv)
return (SV *) 0;
} else
- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */
+ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */
/*
* Get key.
@@ -5855,7 +5859,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname)
GETMARK(c);
if (c != SX_KEY)
- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */
+ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */
RLEN(size); /* Get key size */
KBUFCHK((STRLEN)size); /* Grow hash key read pool if needed */
if (size)
--
2.10.2

67
SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch
Unescape View File

@ -1,67 +0,0 @@
From ea1e86cfdf26a330e58ea377a80273de7110011b Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 21 Aug 2019 11:37:58 +1000
Subject: [PATCH] disallow vstring magic strings over 2GB-1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On reads this could result in buffer overflows, so avoid writing
such large vstrings to avoid causing problems for older Storable.
Since we no longer write such large vstrings, we don't want to accept
them.
I doubt that restricting versions strings to under 2GB-1 will have
a practical effect on downstream users.
fixes #17306
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
dist/Storable/Storable.xs | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
index c2335680ab..d27ac58012 100644
--- a/dist/Storable/Storable.xs
+++ b/dist/Storable/Storable.xs
@@ -2628,6 +2628,12 @@ static int store_scalar(pTHX_ stcxt_t *cxt, SV *sv)
/* The macro passes this by address, not value, and a lot of
called code assumes that it's 32 bits without checking. */
const SSize_t len = mg->mg_len;
+ /* we no longer accept vstrings over I32_SIZE-1, so don't emit
+ them, also, older Storables handle them badly.
+ */
+ if (len >= I32_MAX) {
+ CROAK(("vstring too large to freeze"));
+ }
STORE_PV_LEN((const char *)mg->mg_ptr,
len, SX_VSTRING, SX_LVSTRING);
}
@@ -5937,12 +5943,19 @@ static SV *retrieve_lvstring(pTHX_ stcxt_t *cxt, const char *cname)
{
#ifdef SvVOK
char *s;
- I32 len;
+ U32 len;
SV *sv;
RLEN(len);
- TRACEME(("retrieve_lvstring (#%d), len = %" IVdf,
- (int)cxt->tagnum, (IV)len));
+ TRACEME(("retrieve_lvstring (#%d), len = %" UVuf,
+ (int)cxt->tagnum, (UV)len));
+
+ /* Since we'll no longer produce such large vstrings, reject them
+ here too.
+ */
+ if (len >= I32_MAX) {
+ CROAK(("vstring too large to fetch"));
+ }
New(10003, s, len+1, char);
SAFEPVREAD(s, len, s);
--
2.21.0

169
SPECS/perl-Storable.spec
Unescape View File

@ -1,49 +1,50 @@
%global base_version 3.15 %global base_version 2.51
Name: perl-Storable Name: perl-Storable
Epoch: 1 Epoch: 1
Version: 3.21 Version: 2.56
Release: 460%{?dist} Release: 368%{?dist}
Summary: Persistence for Perl data structures Summary: Persistence for Perl data structures
# Storable.pm: GPL+ or Artistic
License: GPL+ or Artistic License: GPL+ or Artistic
URL: https://metacpan.org/release/Storable Group: Development/Libraries
Source0: https://cpan.metacpan.org/authors/id/X/XS/XSAWYERX/Storable-%{base_version}.tar.gz URL: http://search.cpan.org/dist/Storable/
# Fix deep cloning regular expression objects, RT#134179, Source0: http://www.cpan.org/authors/id/A/AM/AMS/Storable-%{base_version}.tar.gz
# in Perl upstream after 5.31.0 # Unbundled from perl 5.21.11
Patch0: Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch Patch0: Storable-2.51-Upgrade-to-2.53.patch
# Fix array length check in a store hook, in Perl upstream after 5.31.2 # Unbundled from perl 5.24.0
Patch1: Storable-3.16-Storable-make-count-large-enough.patch Patch1: Storable-2.53-Upgrade-to-2.56.patch
# Fix a buffer overflow when processing a vstring longer than 2^31-1, # Avoid loading optional modules from default . (CVE-2016-1238)
# Perl GH#17306, in perl upstream after 5.31.6 Patch2: Storable-2.56-CVE-2016-1238-avoid-loading-optional-modules-from.patch
Patch2: perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch # Fix crash in Storable when deserializing malformed code reference, RT#68348,
# Unbundled from perl 5.32.0 # RT130098
Patch3: Storable-3.15-Upgrade-to-3.21.patch Patch3: perl-5.25.7-Fix-Storable-segfaults.patch
# Fix a stack buffer overflow in deserialization of hooks, RT#130635,
# fixed in perl after 5.25.9
Patch4: Storable-2.56-Fix-stack-buffer-overflow-in-deserialization-of-hook.patch
# Fix a memory leak of a class name from retrieve_hook() on an exception,
# RT#130635, fixed in perl after 5.25.9
Patch5: Storable-2.56-prevent-leak-of-class-name-from-retrieve_hook-on-an-.patch
BuildRequires: coreutils
BuildRequires: gcc BuildRequires: gcc
BuildRequires: make BuildRequires: make
BuildRequires: perl
BuildRequires: perl-devel BuildRequires: perl-devel
BuildRequires: perl-generators BuildRequires: perl-generators
BuildRequires: perl-interpreter
BuildRequires: perl(Config) BuildRequires: perl(Config)
BuildRequires: perl(Cwd) BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 BuildRequires: sed
BuildRequires: perl(File::Copy)
BuildRequires: perl(File::Spec) >= 0.8
BuildRequires: perl(strict)
BuildRequires: perl(warnings)
# Win32 not used on Linux
# Win32API::File not used on Linux
# Run-time: # Run-time:
# Carp substitutes missing Log::Agent
BuildRequires: perl(Carp) BuildRequires: perl(Carp)
BuildRequires: perl(Exporter) BuildRequires: perl(Exporter)
# Fcntl is optional, but locking is good # Fcntl is optional, but locking is good
BuildRequires: perl(Fcntl) BuildRequires: perl(Fcntl)
BuildRequires: perl(IO::File) BuildRequires: perl(IO::File)
# Log::Agent is optional # Log::Agent is optional
BuildRequires: perl(vars)
BuildRequires: perl(XSLoader) BuildRequires: perl(XSLoader)
# Tests: # Tests:
BuildRequires: perl(base)
BuildRequires: perl(bytes) BuildRequires: perl(bytes)
BuildRequires: perl(File::Temp)
BuildRequires: perl(integer) BuildRequires: perl(integer)
BuildRequires: perl(overload) BuildRequires: perl(overload)
BuildRequires: perl(utf8) BuildRequires: perl(utf8)
@ -51,18 +52,19 @@ BuildRequires: perl(Test::More)
BuildRequires: perl(threads) BuildRequires: perl(threads)
BuildRequires: perl(Safe) BuildRequires: perl(Safe)
BuildRequires: perl(Scalar::Util) BuildRequires: perl(Scalar::Util)
BuildRequires: perl(Tie::Array) BuildRequires: perl(strict)
BuildRequires: perl(warnings)
# Optional tests: # Optional tests:
# gzip not used
# Data::Dump not used # Data::Dump not used
# Data::Dumper not used # Data::Dumper not used
BuildRequires: perl(B::Deparse) >= 0.61 BuildRequires: perl(B::Deparse) >= 0.61
BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::MD5)
BuildRequires: perl(File::Spec) >= 0.8
BuildRequires: perl(Hash::Util) BuildRequires: perl(Hash::Util)
# Test::LeakTrace omitted because it's not a core module requried for building
# core Storable.
BuildRequires: perl(Tie::Hash) BuildRequires: perl(Tie::Hash)
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
# Carp substitutes missing Log::Agent
Requires: perl(Carp)
Requires: perl(Config) Requires: perl(Config)
# Fcntl is optional, but locking is good # Fcntl is optional, but locking is good
Requires: perl(Fcntl) Requires: perl(Fcntl)
@ -77,23 +79,29 @@ can be conveniently stored to disk and retrieved at a later time.
%prep %prep
%setup -q -n Storable-%{base_version} %setup -q -n Storable-%{base_version}
%patch0 -p3 %patch0 -p1
%patch1 -p3 %patch1 -p1
%patch2 -p3 %patch2 -p1
%patch3 -p1 %patch3 -p3
%patch4 -p1
%patch5 -p1
# Remove bundled modules
rm -rf t/compat
sed -i -e '/^t\/compat\//d' MANIFEST
%build %build
perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS" # Be ware hints/linux.pl removes "-ON" from CFLAGS if N > 2 because it can
%{make_build} # break the code.
perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="$RPM_OPT_FLAGS"
make %{?_smp_mflags}
%install %install
%{make_install} make pure_install DESTDIR=$RPM_BUILD_ROOT
find $RPM_BUILD_ROOT -type f -name .packlist -delete
find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -delete find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -delete
find $RPM_BUILD_ROOT -type f -name '*.3pm' -size 0 -delete
%{_fixperms} $RPM_BUILD_ROOT/* %{_fixperms} $RPM_BUILD_ROOT/*
%check %check
unset PERL_CORE PERL_TEST_MEMORY PERL_RUN_SLOW_TESTS
make test make test
%files %files
@ -103,87 +111,6 @@ make test
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.21-460
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.21-459
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.21-458
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.21-457
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.21-456
- Upgrade to 3.21 as provided in perl-5.32.0
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.15-443
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-442
- Fix a buffer overflow when processing a vstring longer than 2^31-1
(Perl GH#17306)
* Thu Aug 08 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-441
- Fix array length check in a store hook
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.15-440
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Jun 11 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-439
- Fix deep cloning regular expression objects (RT#134179)
* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.15-438
- Increase release to favour standalone package
* Wed Apr 24 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-1
- 3.15 bump
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.11-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 07 2019 Petr Pisar <ppisar@redhat.com> - 1:3.11-6
- Storable-3.11 source archive repackaged without a t/CVE-2015-1592.inc file
(RT#133706)
* Mon Aug 27 2018 Petr Pisar <ppisar@redhat.com> - 1:3.11-5
- Fix recursion check (RT#133326)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.11-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jun 26 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.11-3
- Perl 5.28 rebuild
* Tue Jun 05 2018 Petr Pisar <ppisar@redhat.com> - 1:3.11-2
- Do not package empty Storable::Limit(3pm) manual page
* Mon Apr 30 2018 Petr Pisar <ppisar@redhat.com> - 1:3.11-1
- 3.11 bump
* Mon Apr 23 2018 Petr Pisar <ppisar@redhat.com> - 1:3.09-1
- 3.09 bump
* Thu Apr 19 2018 Petr Pisar <ppisar@redhat.com> - 1:3.06-1
- 3.06 bump
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.62-396
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.62-395
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.62-394
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Jun 03 2017 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.62-393
- Perl 5.26 rebuild
* Thu May 11 2017 Petr Pisar <ppisar@redhat.com> - 1:2.62-1
- Upgrade to 2.62 as provided in perl-5.25.12
* Mon Feb 06 2017 Petr Pisar <ppisar@redhat.com> - 1:2.56-368 * Mon Feb 06 2017 Petr Pisar <ppisar@redhat.com> - 1:2.56-368
- Fix a stack buffer overflow in deserialization of hooks (RT#130635) - Fix a stack buffer overflow in deserialization of hooks (RT#130635)
- Fix a memory leak of a class name from retrieve_hook() on an exception - Fix a memory leak of a class name from retrieve_hook() on an exception

Write Preview
Loading…
Cancel
Save