Storable: enable >2GB AvFILL check on store_hook

077ae63 added an if (count > I32_MAX) Too many references returned by STORABLE_freeze check, which was not enabled, because count was only int, not SSize_t. xav_fill was always SSize_t, so use that, which does not wrap around on 2GB. This is a security issue on 64bit cperl and perl5, as both allow SSize_t arrays.
perl11 · Sep 15, 2018 · ec0dd42 · ec0dd42
1 parent f8063aa
commit ec0dd42
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 6 deletions.
diff --git a/dist/Module-CoreList/lib/Module/CoreList.pm b/dist/Module-CoreList/lib/Module/CoreList.pm
@@ -17656,6 +17656,7 @@ our %delta :const = (
             'Module::CoreList::Utils'=> '5.20180913c',
             'Errno'                 => '1.29_01',
             'hashiter'              => '0.02',
+            'Storable'              => '3.11_02',
         },
         removed => {
         }

diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
@@ -4,7 +4,7 @@
  *
  *  Copyright (c) 1995-2000, Raphael Manfredi
  *  Copyright (c) 2016, 2017 cPanel Inc
- *  Copyright (c) 2017 Reini Urban
+ *  Copyright (c) 2017, 2018 Reini Urban
  *
  *  You may redistribute only under the same terms as Perl 5, as specified
  *  in the README file that comes with the distribution.
@@ -3636,7 +3636,7 @@ static int store_hook(
     SV *ref;
     AV *av;
     SV **ary;
-    int count;			/* really len3 + 1 */
+    SSize_t count;		/* really len3 + 1 */
     unsigned char flags;
     char *pv;
     int i;
@@ -3728,7 +3728,7 @@ static int store_hook(
     SvREFCNT_dec(ref);			/* Reclaim temporary reference */
 
     count = AvFILLp(av) + 1;
-    TRACEME(("store_hook, array holds %d items", count));
+    TRACEME(("store_hook, array holds %ld items", (long)count));
 
     /*
      * If they return an empty list, it means they wish to ignore the
@@ -3962,8 +3962,8 @@ static int store_hook(
      */
 
     TRACEME(("SX_HOOK (recursed=%d) flags=0x%x "
-             "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%d",
-             recursed, flags, (IV)classnum, (IV)len, (IV)len2, count-1));
+             "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%ld",
+             recursed, flags, (IV)classnum, (IV)len, (IV)len2, (long)count-1));
 
     /* SX_HOOK <flags> [<extra>] */
     if (!recursed) {

diff --git a/dist/Storable/__Storable__.pm b/dist/Storable/__Storable__.pm
@@ -27,7 +27,7 @@ our @EXPORT_OK = qw(
 
 our ($canonical, $forgive_me);
 
-our $VERSION = '3.11_01';
+our $VERSION = '3.11_02';
 our $XS_VERSION = $VERSION;
 $VERSION = eval $VERSION;
 

diff --git a/pod/perlcdelta.pod b/pod/perlcdelta.pod
@@ -144,6 +144,12 @@ See L</Protected hash iterators>.
 
 Protect from including some avx512 intrinsics directly on mingw.
 
+=item L<Storable> 3.11_02
+
+Enable >2GB AvFILL check on store_hook (64bit)
+Too many references returned by STORABLE_freeze.
+It wrapped around previously. Fixes Coverity CID #187854.
+
 =back
 
 =head2 Removed Modules and Pragmata