equal
deleted
inserted
replaced
|
1 # |
|
2 # CVE-2011-2939 |
|
3 # http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5 |
|
4 # https://bugzilla.redhat.com/show_bug.cgi?id=731246 |
|
5 # |
|
6 --- perl-5.12.3/cpan/Encode/Unicode/Unicode.xs.old 2011-11-15 22:37:18.836023493 -0800 |
|
7 +++ perl-5.12.3/cpan/Encode/Unicode/Unicode.xs 2011-11-15 22:40:56.191609987 -0800 |
|
8 @@ -246,7 +246,10 @@ |
|
9 This prevents allocating too much in the rogue case of a large |
|
10 input consisting initially of long sequence uft8-byte unicode |
|
11 chars followed by single utf8-byte chars. */ |
|
12 - STRLEN remaining = (e - s)/usize; |
|
13 + /* +1 |
|
14 + fixes Unicode.xs!decode_xs n-byte heap-overflow |
|
15 + */ |
|
16 + STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */ |
|
17 STRLEN max_alloc = remaining + (8*1024*1024); |
|
18 STRLEN est_alloc = remaining * UTF8_MAXLEN; |
|
19 STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */ |