Security fix for CVE-2011-2939, Perl decode_xs heap-based buffer overflow.

ok espie@ millert@
author: jasper <jasper@openbsd.org> 2011-11-01 13:52:21 +0000
committer: jasper <jasper@openbsd.org> 2011-11-01 13:52:21 +0000
commit: 945a9a587895b1b0229296859cdf38ee3657a42c (patch)
tree: 09792524a15958ed7d97aba0fcd3bfc5992138f3 /gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs
parent: Fixup previous: don't forget to actually get the current rtable; (diff)
download: wireguard-openbsd-945a9a587895b1b0229296859cdf38ee3657a42c.tar.xz
wireguard-openbsd-945a9a587895b1b0229296859cdf38ee3657a42c.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs b/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs
index 9741626bd31..d4f2e714ca2 100644
--- a/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs
+++ b/gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs
@@ -246,7 +246,10 @@ CODE:
 	       This prevents allocating too much in the rogue case of a large
 	       input consisting initially of long sequence uft8-byte unicode
 	       chars followed by single utf8-byte chars. */
-	    STRLEN remaining = (e - s)/usize;
+	    /* +1 
+               fixes  Unicode.xs!decode_xs n-byte heap-overflow
+              */
+	    STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
 	    STRLEN max_alloc = remaining + (8*1024*1024);
 	    STRLEN est_alloc = remaining * UTF8_MAXLEN;
 	    STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
author	jasper <jasper@openbsd.org>	2011-11-01 13:52:21 +0000
committer	jasper <jasper@openbsd.org>	2011-11-01 13:52:21 +0000
commit	945a9a587895b1b0229296859cdf38ee3657a42c (patch)
tree	09792524a15958ed7d97aba0fcd3bfc5992138f3 /gnu/usr.bin/perl/cpan/Encode/Unicode/Unicode.xs
parent	Fixup previous: don't forget to actually get the current rtable; (diff)
download	wireguard-openbsd-945a9a587895b1b0229296859cdf38ee3657a42c.tar.xz wireguard-openbsd-945a9a587895b1b0229296859cdf38ee3657a42c.zip