From: Miro Hrončok Date: Fri, 8 Dec 2017 21:34:12 +0000 (+0100) Subject: bpo-30657: Fix CVE-2017-1000158 (#4664) X-Git-Tag: v3.5.5rc1~7 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fd8614c5c5466a14a945db5b059c10c0fb8f76d9;p=python bpo-30657: Fix CVE-2017-1000158 (#4664) Fixes possible integer overflow in PyBytes_DecodeEscape. Co-Authored-By: Jay Bosamiya --- diff --git a/Misc/ACKS b/Misc/ACKS index fbf110d801..1a35aad66c 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -167,6 +167,7 @@ Médéric Boquien Matias Bordese Jonas Borgström Jurjen Bos +Jay Bosamiya Peter Bosch Dan Boswell Eric Bouck @@ -651,6 +652,7 @@ Ken Howard Brad Howes Mike Hoy Ben Hoyt +Miro Hrončok Chiu-Hsiang Hsu Chih-Hao Huang Christian Hudon diff --git a/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst new file mode 100644 index 0000000000..75359b6d88 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst @@ -0,0 +1,2 @@ +Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158. +Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok. diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c index 77dd45e84a..9b29dc38b4 100644 --- a/Objects/bytesobject.c +++ b/Objects/bytesobject.c @@ -970,7 +970,13 @@ PyObject *PyBytes_DecodeEscape(const char *s, char *p, *buf; const char *end; PyObject *v; - Py_ssize_t newlen = recode_encoding ? 4*len:len; + Py_ssize_t newlen; + /* Check for integer overflow */ + if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { + PyErr_SetString(PyExc_OverflowError, "string is too large"); + return NULL; + } + newlen = recode_encoding ? 4*len:len; v = PyBytes_FromStringAndSize((char *)NULL, newlen); if (v == NULL) return NULL;