- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size

  parameter but was not verifying that it was greater than zero.  Values
  less than zero will now raise a SystemError and return NULL to indicate a
  bug in the calling C code. CVE-2008-1887.

  backport r62261, r62271

diff --git a/Misc/NEWS b/Misc/NEWS
index 32dd128f0156c9cca069d9613e2765138b1458af..32a345b41d6a78a53076a68eb3224c1842840784 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -30,6 +30,11 @@ Core and builtins
 - Issues #2588, #2589: Fix potential integer underflow and overflow
   conditions in the PyOS_vsnprintf C API function. CVE-2008-3144.
 
+- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
+  parameter but was not verifying that it was greater than zero.  Values
+  less than zero will now raise a SystemError and return NULL to indicate a
+  bug in the calling C code. CVE-2008-1887.
+
 Extension Modules
 -----------------
 

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index ee1c3bf8257e5914e16512c336ac2be45020b535..8a2530aaf3797eebd5ce3e5d4769e6f080ef748e 100644 (file)
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -52,6 +52,13 @@ PyObject *
 PyString_FromStringAndSize(const char *str, int size)
 {
        register PyStringObject *op;
+
+       if (size < 0) {
+               PyErr_SetString(PyExc_SystemError,
+                   "Negative size passed to PyString_FromStringAndSize");
+               return NULL;
+       }
+
        if (size == 0 && (op = nullstring) != NULL) {
 #ifdef COUNT_ALLOCS
                null_strings++;