From: Matthias Klose <doko@ubuntu.com>
Date: Wed, 12 Nov 2008 07:02:24 +0000 (+0000)
Subject: - Issue #2586: Fix CVE-2008-1721, zlib crash from
X-Git-Tag: v2.4.6c1~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=01feb5ad8d55c4cdc540e02ebebcaffa5f1a4d6c;p=thirdparty%2FPython%2Fcpython.git

- Issue #2586: Fix CVE-2008-1721, zlib crash from
  zlib.decompressobj().flush(val) when val is not positive.
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 38de32730e40..bf3f7462eb1f 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -24,6 +24,9 @@ Core and builtins
 - Issue #1179: Fix CVE-2007-4965 and CVE-2008-1679, multiple integer
   overflows in the imageop and rgbimgmodule modules.
 
+- Issue #2586: Fix CVE-2008-1721, zlib crash from
+  zlib.decompressobj().flush(val) when val is not positive.
+
 Extension Modules
 -----------------
 
diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
index 35b8c32fa442..60b3eea55f24 100644
--- a/Modules/zlibmodule.c
+++ b/Modules/zlibmodule.c
@@ -669,6 +669,10 @@ PyZlib_unflush(compobject *self, PyObject *args)
 
     if (!PyArg_ParseTuple(args, "|i:flush", &length))
 	return NULL;
+    if (length <= 0) {
+	PyErr_SetString(PyExc_ValueError, "length must be greater than zero");
+	return NULL;
+    }
     if (!(retval = PyString_FromStringAndSize(NULL, length)))
 	return NULL;