prevent buffer overflow in get_data (closes #26171)

author Benjamin Peterson <benjamin@python.org>

Thu, 21 Jan 2016 06:23:44 +0000 (22:23 -0800)

committer Benjamin Peterson <benjamin@python.org>

Thu, 21 Jan 2016 06:23:44 +0000 (22:23 -0800)
author Benjamin Peterson <benjamin@python.org>
Thu, 21 Jan 2016 06:23:44 +0000 (22:23 -0800)
committer Benjamin Peterson <benjamin@python.org>
Thu, 21 Jan 2016 06:23:44 +0000 (22:23 -0800)
diff --git a/Misc/NEWS b/Misc/NEWS

index 298d027564b73f09fc241b802f31a77a19f56d5b..5f1929d0b1d53a03574ea39ca362251d4527fd0c 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ Release date: tba
  Core and Builtins
  -----------------
  
+- Issue #26171: Fix possible integer overflow and heap corruption in
+  zipimporter.get_data().
+
  Library
  -------
  
diff --git a/Modules/zipimport.c b/Modules/zipimport.c

index 55bfb5d7cf7d78a0ea978d71d7a726a785a77073..83fa8f932598abb9846e9da664cd176e64c97498 100644 (file)
--- a/Modules/zipimport.c
+++ b/Modules/zipimport.c
@@ -1111,6 +1111,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
      }
      file_offset += l;           /* Start of file data */
  
+    if (data_size > LONG_MAX - 1) {
+        fclose(fp);
+        PyErr_NoMemory();
+        return NULL;
+    }
      bytes_size = compress == 0 ? data_size : data_size + 1;
      if (bytes_size == 0)
          bytes_size++;
author	Benjamin Peterson <benjamin@python.org>
	Thu, 21 Jan 2016 06:23:44 +0000 (22:23 -0800)
committer	Benjamin Peterson <benjamin@python.org>
	Thu, 21 Jan 2016 06:23:44 +0000 (22:23 -0800)
Misc/NEWS		patch \| blob \| history
Modules/zipimport.c		patch \| blob \| history