Issue #26171: Prevent buffer overflow in get_data

Backport of 01ddd608b85c.

diff --git a/Misc/NEWS b/Misc/NEWS
index a38d8beeb1d812be4b7e3ac4c2cf21353e36367d..731cd0f1ed075f6c1349ed444b1147a039dbc2d8 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.3.7?
 Core and Builtins
 -----------------
 
+- Issue #26171: Fix possible integer overflow and heap corruption in
+  zipimporter.get_data().
+
 - Issue #25709: Fixed problem with in-place string concatenation and utf-8 cache.
 
 - Issue #24407: Fix crash when dict is mutated while being updated.

diff --git a/Modules/zipimport.c b/Modules/zipimport.c
index 2feb2a827c8b67dfd947d93153e289c869211bcc..dad699e7e93024458a77d158c9056c2683f9c65a 100644 (file)
--- a/Modules/zipimport.c
+++ b/Modules/zipimport.c
@@ -1089,6 +1089,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
         PyMarshal_ReadShortFromFile(fp);        /* local header size */
     file_offset += l;           /* Start of file data */
 
+    if (data_size > LONG_MAX - 1) {
+        fclose(fp);
+        PyErr_NoMemory();
+        return NULL;
+    }
     bytes_size = compress == 0 ? data_size : data_size + 1;
     if (bytes_size == 0)
         bytes_size++;