From: Matthias Klose <doko@ubuntu.com>
Date: Wed, 12 Nov 2008 07:21:52 +0000 (+0000)
Subject: - Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
X-Git-Tag: v2.4.6c1~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7cfda132406bd0a4f626610657fd9b1e0e63f65;p=thirdparty%2FPython%2Fcpython.git

- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
  parameter but was not verifying that it was greater than zero.  Values
  less than zero will now raise a SystemError and return NULL to indicate a
  bug in the calling C code. CVE-2008-1887.

  backport r62261, r62271
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 32dd128f0156..32a345b41d6a 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -30,6 +30,11 @@ Core and builtins
 - Issues #2588, #2589: Fix potential integer underflow and overflow
   conditions in the PyOS_vsnprintf C API function. CVE-2008-3144.
 
+- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
+  parameter but was not verifying that it was greater than zero.  Values
+  less than zero will now raise a SystemError and return NULL to indicate a
+  bug in the calling C code. CVE-2008-1887.
+
 Extension Modules
 -----------------
 
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index ee1c3bf8257e..8a2530aaf379 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -52,6 +52,13 @@ PyObject *
 PyString_FromStringAndSize(const char *str, int size)
 {
 	register PyStringObject *op;
+
+	if (size < 0) {
+		PyErr_SetString(PyExc_SystemError,
+		    "Negative size passed to PyString_FromStringAndSize");
+		return NULL;
+	}
+
 	if (size == 0 && (op = nullstring) != NULL) {
 #ifdef COUNT_ALLOCS
 		null_strings++;