1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From fd8614c5c5466a14a945db5b059c10c0fb8f76d9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Fri, 8 Dec 2017 22:34:12 +0100
Subject: [PATCH] bpo-30657: Fix CVE-2017-1000158 (#4664)
Fixes possible integer overflow in PyBytes_DecodeEscape.
Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>
---
Misc/ACKS | 2 ++
.../Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst | 2 ++
Objects/bytesobject.c | 8 +++++++-
3 files changed, 11 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index 77dd45e84af8..9b29dc38b44f 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -970,7 +970,13 @@ PyObject *PyBytes_DecodeEscape(const char *s,
char *p, *buf;
const char *end;
PyObject *v;
- Py_ssize_t newlen = recode_encoding ? 4*len:len;
+ Py_ssize_t newlen;
+ /* Check for integer overflow */
+ if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+ PyErr_SetString(PyExc_OverflowError, "string is too large");
+ return NULL;
+ }
+ newlen = recode_encoding ? 4*len:len;
v = PyBytes_FromStringAndSize((char *)NULL, newlen);
if (v == NULL)
return NULL;
|
