1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
From cab6444ff39a91084bdac08d0ae66734cea943f6 Mon Sep 17 00:00:00 2001
From: Andreas Wellving <andreas.wellving@enea.com>
Date: Mon, 22 Oct 2018 10:13:00 +0200
Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174)
CVE: CVE-2017-1000158
Upstream-Status: Backport [https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae]
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
Misc/ACKS | 1 +
Misc/NEWS | 3 +++
Objects/stringobject.c | 8 +++++++-
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/Misc/ACKS b/Misc/ACKS
index 952d6dd..6ea6639 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -151,6 +151,7 @@ Gregory Bond
Matias Bordese
Jonas Borgström
Jurjen Bos
+Jay Bosamiya
Peter Bosch
Dan Boswell
Eric Bouck
diff --git a/Misc/NEWS b/Misc/NEWS
index b779e82..ab0b687 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -21,6 +21,9 @@ What's New in Python 2.7.13 release candidate 1?
Core and Builtins
-----------------
+- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape.
+ Patch by Jay Bosamiya.
+
- Issue #28847: dumbdbm no longer writes the index file in when it is not
changed and supports reading read-only files.
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index 4e38735..6c31c5b 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,
char *p, *buf;
const char *end;
PyObject *v;
- Py_ssize_t newlen = recode_encoding ? 4*len:len;
+ Py_ssize_t newlen;
+ /* Check for integer overflow */
+ if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+ PyErr_SetString(PyExc_OverflowError, "string is too large");
+ return NULL;
+ }
+ newlen = recode_encoding ? 4*len:len;
v = PyString_FromStringAndSize((char *)NULL, newlen);
if (v == NULL)
return NULL;
|