From 44d9bf5bcab8c71fb4b8980e6559abd57d2b8fe5 Mon Sep 17 00:00:00 2001
From: yangmingtai <yangmingtai@huawei.com>
Date: Fri, 25 Aug 2023 15:11:21 +0800
Subject: [PATCH] fix CVE-2022-48522

(cherry picked from commit 6bd423e3f8bed2723e95666d70d885cafbea8044)
---
 backport-CVE-2022-48522.patch | 78 +++++++++++++++++++++++++++++++++++
 perl.spec                     |  6 ++-
 2 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-48522.patch

diff --git a/backport-CVE-2022-48522.patch b/backport-CVE-2022-48522.patch
new file mode 100644
index 0000000..6cde8c2
--- /dev/null
+++ b/backport-CVE-2022-48522.patch
@@ -0,0 +1,78 @@
+From 43cbd598f60a85afcfc3de71e89e8a48330158f5 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 22 Sep 2021 11:47:55 +1000
+Subject: [PATCH] Don't try to Sv[PI]V() on an undef index SV in
+ find_uninit_var()
+
+When trying to evaluate:
+
+  $x{$y}
+
+or
+
+  $x[$y]
+
+where both the index and the hash or array entry was undefined,
+when trying to report the entry as uninitialised, find_uninit_var()
+would try to get the string or numeric value of the index,
+recursively trying to produce a warning.
+
+This would end up overflowing the stack, producing a segmentation fault.
+
+Fixes #19147.
+
+(cherry picked from commit 23cca2d1f4544cb47f1124d98c308ce1f31f09a6)
+Conflict:NA
+Reference:https://github.com/Perl/perl5/commit/43cbd598f60a85afcfc3de71e89e8a48330158f5
+---
+ sv.c              |  7 ++++---
+ t/lib/warnings/sv | 13 +++++++++++++
+ 2 files changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/sv.c b/sv.c
+index 27c425a54e6f..46bf9815cd15 100644
+--- a/sv.c
++++ b/sv.c
+@@ -16782,14 +16782,15 @@ S_find_uninit_var(pTHX_ const OP *const obase, const SV *const uninit_sv,
+                 }
+                 if (index_sv && !SvMAGICAL(index_sv) && !SvROK(index_sv)) {
+                     if (is_hv) {
+-                        HE *he = hv_fetch_ent(MUTABLE_HV(sv), index_sv, 0, 0);
++                        SV *report_index_sv = SvOK(index_sv) ? index_sv : &PL_sv_no;
++                        HE *he = hv_fetch_ent(MUTABLE_HV(sv), report_index_sv, 0, 0);
+                         if (!he) {
+                             return varname(agg_gv, '%', agg_targ,
+-                                           index_sv, 0, FUV_SUBSCRIPT_HASH);
++                                           report_index_sv, 0, FUV_SUBSCRIPT_HASH);
+                         }
+                     }
+                     else {
+-                        SSize_t index = SvIV(index_sv);
++                        SSize_t index = SvOK(index_sv) ? SvIV(index_sv) : 0;
+                         SV * const * const svp =
+                             av_fetch(MUTABLE_AV(sv), index, FALSE);
+                         if (!svp) {
+diff --git a/t/lib/warnings/sv b/t/lib/warnings/sv
+index be04b8457e3a..8524c2c25a1d 100644
+--- a/t/lib/warnings/sv
++++ b/t/lib/warnings/sv
+@@ -211,6 +211,19 @@ Use of uninitialized value $a in join or string at - line 4.
+ Use of uninitialized value $a in concatenation (.) or string at - line 5.
+ Use of uninitialized value $a in concatenation (.) or string at - line 6.
+ ########
++# NAME https://github.com/Perl/perl5/issues/19147
++use warnings 'uninitialized';
++my %x;
++my @z;
++my $y;
++-$x{$y};
++-$z[$y];
++EXPECT
++Use of uninitialized value $y in hash element at - line 5.
++Use of uninitialized value $x{""} in negation (-) at - line 5.
++Use of uninitialized value $y in array element at - line 6.
++Use of uninitialized value $z[0] in negation (-) at - line 6.
++########
+ # sv.c 
+ use warnings 'numeric' ;
+ sub TIESCALAR{bless[]} ; 
diff --git a/perl.spec b/perl.spec
index fab910d..ee988b8 100644
--- a/perl.spec
+++ b/perl.spec
@@ -22,7 +22,7 @@ Name:           perl
 License:        (GPL+ or Artistic) and (GPLv2+ or Artistic) and MIT and UCD and Public Domain and BSD
 Epoch:          4
 Version:        %{perl_version}
-Release:        8
+Release:        9
 Summary:        A highly capable, feature-rich programming language
 Url:            https://www.perl.org/
 Source0:        https://www.cpan.org/src/5.0/%{name}-%{version}.tar.xz
@@ -39,6 +39,7 @@ Patch8: disable-rpath-by-default.patch
 Patch6000: backport-CVE-2021-36770.patch
 Patch6001: backport-CVE-2023-31484.patch
 Patch6002: backport-CVE-2023-31486.patch
+Patch6003: backport-CVE-2022-48522.patch
 
 BuildRequires:  gcc bash findutils coreutils make tar procps bzip2-devel gdbm-devel perl-File-Compare perl-File-Find 
 BuildRequires:  zlib-devel systemtap-sdt-devel perl-interpreter perl-generators
@@ -489,6 +490,9 @@ make test_harness
 %{_mandir}/man3/*
 
 %changelog
+* Fri Aug 25 2023 yangmingtai <yangmingtai@huawei.com> - 4:5.34.0-9
+- fix CVE-2022-48522
+
 * Mon Jun 26 2023 yangmingtai <yangmingtai@huawei.com> - 4:5.34.0-8
 - fix CVE-2023-31486
 
-- 
Gitee