summaryrefslogtreecommitdiffstats
path: root/main/perl/CVE-2017-12883.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/perl/CVE-2017-12883.patch')
-rw-r--r--main/perl/CVE-2017-12883.patch28
1 files changed, 28 insertions, 0 deletions
diff --git a/main/perl/CVE-2017-12883.patch b/main/perl/CVE-2017-12883.patch
new file mode 100644
index 00000000000..9f18f1c66b5
--- /dev/null
+++ b/main/perl/CVE-2017-12883.patch
@@ -0,0 +1,28 @@
+--- a/regcomp.c
++++ b/regcomp.c
+Fixes CVE-2017-12883 for Perl 5.22
+Upstream commit 2be4edede4ae226e2eebd4eff28cedd2041f300f
+
+Note we had to change this patch slightly to get it to work with Perl 5.22.
+We did this by taking their official patch URL (https://perl5.git.perl.org/perl.git/blobdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c)
+and changing the first commit to be the Perl 5.22.4 commit (a26666a1317770d8a2228ac3657ba58020c3511f),
+which resulted in a URL of https://perl5.git.perl.org/perl.git/blobdiff/a26666a1317770d8a2228ac3657ba58020c3511f..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c.
+We then cherry picked this one change from that diff.
+@@ -11303,13 +11303,15 @@
+ }
+ sv_catpv(substitute_parse, ")");
+
+- RExC_parse = SvPV(substitute_parse, len);
++ len = SvCUR(substitute_parse);
+
+ /* Don't allow empty number */
+ if (len < (STRLEN) 8) {
+ RExC_parse = endbrace;
+ vFAIL("Invalid hexadecimal number in \\N{U+...}");
+ }
++
++ RExC_parse = SvPV_nolen(substitute_parse);
+ RExC_end = RExC_parse + len;
+
+ /* The values are Unicode, and therefore not subject to recoding, but
+
generated by cgit v1.2.3 (git 2.41.0) at 2024-04-18 18:14:19 +0000