Upstream-Status: Backport

This patch is from perl mainline:
http://perl5.git.perl.org/perl.git/commit/b675304e3fdbcce3ef853b06b6ebe870d99faa7e

Signed-off-by: Kang Kai <kai.kang@windriver.com>

---
From b675304e3fdbcce3ef853b06b6ebe870d99faa7e Mon Sep 17 00:00:00 2001
From: Andy Dougherty <doughera@lafayette.edu>
Date: Thu, 27 Sep 2012 09:52:18 -0400
Subject: [PATCH] avoid calling memset with a negative count

Poorly written perl code that allows an attacker to specify the count to
perl's 'x' string repeat operator can already cause a memory exhaustion
denial-of-service attack. A flaw in versions of perl before 5.15.5 can
escalate that into a heap buffer overrun; coupled with versions of glibc
before 2.16, it possibly allows the execution of arbitrary code.

The flaw addressed to this commit has been assigned identifier
CVE-2012-5195.
---
 util.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/util.c b/util.c
index 0ea39c6..230211e 100644
--- a/util.c
+++ b/util.c
@@ -3319,6 +3319,9 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I
 {
     PERL_ARGS_ASSERT_REPEATCPY;
 
+    if (count < 0)
+	Perl_croak_nocontext("%s",PL_memory_wrap);
+
     if (len == 1)
 	memset(to, *from, count);
     else if (count) {
-- 
1.7.4.1