Backport the CVE-2011-2939 fix for Encode (cherry picked from commit 2e8de60ec6c36c81...

author Florian Ragwitz <rafl@debian.org>

Mon, 5 Sep 2011 11:43:37 +0000 (13:43 +0200)

committer Dominic Hargreaves <dom@earth.li>

Thu, 1 Nov 2012 22:33:47 +0000 (22:33 +0000)
author Florian Ragwitz <rafl@debian.org>
Mon, 5 Sep 2011 11:43:37 +0000 (13:43 +0200)
committer Dominic Hargreaves <dom@earth.li>
Thu, 1 Nov 2012 22:33:47 +0000 (22:33 +0000)
diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm

index f1dff78..0b5b9f8 100644 (file)
--- a/cpan/Encode/Encode.pm
+++ b/cpan/Encode/Encode.pm
@@ -4,7 +4,7 @@
 package Encode;
 use strict;
 use warnings;
-our $VERSION = sprintf "%d.%02d", q$Revision: 2.39 $ =~ /(\d+)/g;
+our $VERSION = sprintf "%d.%02d_01", q$Revision: 2.39 $ =~ /(\d+)/g;
 sub DEBUG () { 0 }
 use XSLoader ();
 XSLoader::load( __PACKAGE__, $VERSION );
diff --git a/cpan/Encode/Unicode/Unicode.xs b/cpan/Encode/Unicode/Unicode.xs

index 9741626..8e9d3d8 100644 (file)
--- a/cpan/Encode/Unicode/Unicode.xs
+++ b/cpan/Encode/Unicode/Unicode.xs
@@ -246,7 +246,10 @@ CODE:
               This prevents allocating too much in the rogue case of a large
               input consisting initially of long sequence uft8-byte unicode
               chars followed by single utf8-byte chars. */
-           STRLEN remaining = (e - s)/usize;
+           /* +1
+              fixes  Unicode.xs!decode_xs n-byte heap-overflow
+           */
+           STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
            STRLEN max_alloc = remaining + (8*1024*1024);
            STRLEN est_alloc = remaining * UTF8_MAXLEN;
            STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
author	Florian Ragwitz <rafl@debian.org>
	Mon, 5 Sep 2011 11:43:37 +0000 (13:43 +0200)
committer	Dominic Hargreaves <dom@earth.li>
	Thu, 1 Nov 2012 22:33:47 +0000 (22:33 +0000)
cpan/Encode/Encode.pm		patch \| blob \| blame \| history
cpan/Encode/Unicode/Unicode.xs		patch \| blob \| blame \| history