Security fix for CVE-2011-2939, Perl decode_xs heap-based buffer overflow.

ok espie@ millert@

2 files changed, 5 insertions, 1 deletions

diff --git a/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs b/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs
index 9741626bd31..d4f2e714ca2 100644
--- a/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs
+++ b/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs
@@ -246,7 +246,10 @@ CODE:
 	       This prevents allocating too much in the rogue case of a large
 	       input consisting initially of long sequence uft8-byte unicode
 	       chars followed by single utf8-byte chars. */
-	    STRLEN remaining = (e - s)/usize;
+	    /* +1 
+               fixes  Unicode.xs!decode_xs n-byte heap-overflow
+              */
+	    STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
 	    STRLEN max_alloc = remaining + (8*1024*1024);
 	    STRLEN est_alloc = remaining * UTF8_MAXLEN;
 	    STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
diff --git a/gnu/usr.bin/perl/patchlevel.h b/gnu/usr.bin/perl/patchlevel.h
index ce714e7fef0..da35efdffc0 100644
--- a/gnu/usr.bin/perl/patchlevel.h
+++ b/gnu/usr.bin/perl/patchlevel.h
@@ -133,6 +133,7 @@ static const char * const local_patches[] = {
 	,"Updated List::Util to 1.23"
 	,"CVE-2011-1487"
 	,"Updated Digest to 1.17"
+	,"CVE-2011-2939"
 #ifdef PERL_GIT_UNCOMMITTED_CHANGES
 	,"uncommitted-changes"
 #endif