From cab6444ff39a91084bdac08d0ae66734cea943f6 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Mon, 22 Oct 2018 10:13:00 +0200 Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174) CVE: CVE-2017-1000158 Upstream-Status: Backport [https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae] Signed-off-by: Andreas Wellving --- Misc/ACKS | 1 + Misc/NEWS | 3 +++ Objects/stringobject.c | 8 +++++++- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Misc/ACKS b/Misc/ACKS index 952d6dd..6ea6639 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -151,6 +151,7 @@ Gregory Bond Matias Bordese Jonas Borgström Jurjen Bos +Jay Bosamiya Peter Bosch Dan Boswell Eric Bouck diff --git a/Misc/NEWS b/Misc/NEWS index b779e82..ab0b687 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -21,6 +21,9 @@ What's New in Python 2.7.13 release candidate 1? Core and Builtins ----------------- +- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape. + Patch by Jay Bosamiya. + - Issue #28847: dumbdbm no longer writes the index file in when it is not changed and supports reading read-only files. diff --git a/Objects/stringobject.c b/Objects/stringobject.c index 4e38735..6c31c5b 100644 --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s, char *p, *buf; const char *end; PyObject *v; - Py_ssize_t newlen = recode_encoding ? 4*len:len; + Py_ssize_t newlen; + /* Check for integer overflow */ + if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { + PyErr_SetString(PyExc_OverflowError, "string is too large"); + return NULL; + } + newlen = recode_encoding ? 4*len:len; v = PyString_FromStringAndSize((char *)NULL, newlen); if (v == NULL) return NULL;