From 6e01d90cc8bfac920bd4f7143b3968a8a21079d9 Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Sat, 13 Aug 2016 17:17:06 -0700 Subject: [PATCH] check for overflow in join_append_data (closes #27758) Reported by Thomas E. Hybel --- Misc/NEWS | 3 +++ Modules/_csv.c | 23 +++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index e9a8f28f2c..c3235dee54 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -29,6 +29,9 @@ Core and Builtins Library ------- +- Issue #27758: Fix possible integer overflow in the _csv module for large record + lengths. + - Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. diff --git a/Modules/_csv.c b/Modules/_csv.c index f5f6e71686..dcb671e40a 100644 --- a/Modules/_csv.c +++ b/Modules/_csv.c @@ -1002,11 +1002,19 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data, int i; Py_ssize_t rec_len; -#define ADDCH(c) \ +#define INCLEN \ + do {\ + if (!copy_phase && rec_len == PY_SSIZE_T_MAX) { \ + goto overflow; \ + } \ + rec_len++; \ + } while(0) + +#define ADDCH(c) \ do {\ if (copy_phase) \ self->rec[rec_len] = c;\ - rec_len++;\ + INCLEN;\ } while(0) rec_len = self->rec_len; @@ -1072,11 +1080,18 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data, if (*quoted) { if (copy_phase) ADDCH(dialect->quotechar); - else - rec_len += 2; + else { + INCLEN; /* starting quote */ + INCLEN; /* ending quote */ + } } return rec_len; + + overflow: + PyErr_NoMemory(); + return -1; #undef ADDCH +#undef INCLEN } static int -- 2.40.0