bpo-30657: Fix CVE-2017-1000158 (#4664) · python/cpython@fd8614c (original) (raw)
3 files changed
lines changed
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -167,6 +167,7 @@ Médéric Boquien | ||
| 167 | 167 | Matias Bordese |
| 168 | 168 | Jonas Borgström |
| 169 | 169 | Jurjen Bos |
| 170 | +Jay Bosamiya | |
| 170 | 171 | Peter Bosch |
| 171 | 172 | Dan Boswell |
| 172 | 173 | Eric Bouck |
| @@ -651,6 +652,7 @@ Ken Howard | ||
| 651 | 652 | Brad Howes |
| 652 | 653 | Mike Hoy |
| 653 | 654 | Ben Hoyt |
| 655 | +Miro Hrončok | |
| 654 | 656 | Chiu-Hsiang Hsu |
| 655 | 657 | Chih-Hao Huang |
| 656 | 658 | Christian Hudon |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| 1 | +Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158. | |
| 2 | +Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -970,7 +970,13 @@ PyObject *PyBytes_DecodeEscape(const char *s, | ||
| 970 | 970 | char *p, *buf; |
| 971 | 971 | const char *end; |
| 972 | 972 | PyObject *v; |
| 973 | -Py_ssize_t newlen = recode_encoding ? 4*len:len; | |
| 973 | +Py_ssize_t newlen; | |
| 974 | +/* Check for integer overflow */ | |
| 975 | +if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { | |
| 976 | +PyErr_SetString(PyExc_OverflowError, "string is too large"); | |
| 977 | +return NULL; | |
| 978 | + } | |
| 979 | +newlen = recode_encoding ? 4*len:len; | |
| 974 | 980 | v = PyBytes_FromStringAndSize((char *)NULL, newlen); |
| 975 | 981 | if (v == NULL) |
| 976 | 982 | return NULL; |