From 6c004b40f9d51872d848981ef1a18bb08c2dfc42 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Miro=20Hron=C4=8Dok?= Date: Fri, 8 Dec 2017 22:34:44 +0100 Subject: [PATCH] bpo-30657: Fix CVE-2017-1000158 (#4758) Fixes possible integer overflow in PyBytes_DecodeEscape. Co-Authored-By: Jay Bosamiya --- Misc/ACKS | 2 ++ .../Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst | 2 ++ Objects/bytesobject.c | 8 +++++++- 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst diff --git a/Misc/ACKS b/Misc/ACKS index 2e45f3d014bf..9a73a222546a 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -155,6 +155,7 @@ Gregory Bond Matias Bordese Jonas Borgström Jurjen Bos +Jay Bosamiya Peter Bosch Dan Boswell Eric Bouck @@ -616,6 +617,7 @@ Alan Hourihane Ken Howard Brad Howes Mike Hoy +Miro Hrončok Chiu-Hsiang Hsu Chih-Hao Huang Christian Hudon diff --git a/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst new file mode 100644 index 000000000000..75359b6d8833 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst @@ -0,0 +1,2 @@ +Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158. +Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok. diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c index 27f406947208..08c91a265adc 100644 --- a/Objects/bytesobject.c +++ b/Objects/bytesobject.c @@ -368,7 +368,13 @@ PyObject *PyBytes_DecodeEscape(const char *s, char *p, *buf; const char *end; PyObject *v; - Py_ssize_t newlen = recode_encoding ? 4*len:len; + Py_ssize_t newlen; + /* Check for integer overflow */ + if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { + PyErr_SetString(PyExc_OverflowError, "string is too large"); + return NULL; + } + newlen = recode_encoding ? 4*len:len; v = PyBytes_FromStringAndSize((char *)NULL, newlen); if (v == NULL) return NULL; -- 2.47.3