]> git.ipfire.org Git - thirdparty/Python/cpython.git/commitdiff
projects / thirdparty / Python / cpython.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0c8cae1)
in scan_once, prevent the reading of arbitrary memory when passed a negative index
authorBenjamin Peterson <benjamin@python.org>
Mon, 14 Apr 2014 02:10:38 +0000 (22:10 -0400)
committerBenjamin Peterson <benjamin@python.org>
Mon, 14 Apr 2014 02:10:38 +0000 (22:10 -0400)
Bug reported by Guido Vranken.

Lib/json/tests/test_decode.py patch | blob | blame | history
Misc/ACKS patch | blob | blame | history
Misc/NEWS patch | blob | blame | history
Modules/_json.c patch | blob | blame | history

diff --git a/Lib/json/tests/test_decode.py b/Lib/json/tests/test_decode.py
index 144ff4113ce53214573586486ee4fbb9572d9993..a689b36779de0c11fe09014ee51c6534f8aea5c8 100644 (file)
--- a/Lib/json/tests/test_decode.py
+++ b/Lib/json/tests/test_decode.py
@@ -45,5 +45,9 @@ class TestDecode:
         self.assertEqual(rval, {"key":"value", "k":"v"})
 
 
+    def test_negative_index(self):
+        d = self.json.JSONDecoder()
+        self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000)
+
 class TestPyDecode(TestDecode, PyTest): pass
 class TestCDecode(TestDecode, CTest): pass
diff --git a/Misc/ACKS b/Misc/ACKS
index 0de41015b6def654237cd3d1893d21961cd5a771..6264d4b5011c613c41419d5bcbd9ff3a68067cfd 100644 (file)
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -842,6 +842,7 @@ Kannan Vijayan
 Kurt Vile
 Norman Vine
 Frank Visser
+Guido Vranken
 Niki W. Waibel
 Wojtek Walczak
 Charles Waldman
diff --git a/Misc/NEWS b/Misc/NEWS
index 437acbf33ffc1ba204c3be3c2335e61177ec2f66..68622f5299f76c24cea8ab2fbe4b5921417423d6 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------
 
+- Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second
+  parameter. Bug reported by Guido Vranken.
+
 - Issue #20246: Fix buffer overflow in socket.recvfrom_into.
 
 - Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
diff --git a/Modules/_json.c b/Modules/_json.c
index 5ced5c9704579dc081e593621e08b6ed184990dc..e54b0b94bc5001222ce85387d54c39a5e4305261 100644 (file)
--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -902,7 +902,10 @@ scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_
     PyObject *res;
     Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
     Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
-    if (idx >= length) {
+    if (idx < 0)
+        /* Compatibility with Python version. */
+        idx += length;
+    if (idx < 0 || idx >= length) {
         PyErr_SetNone(PyExc_StopIteration);
         return NULL;
     }
Mirror of https://github.com/python/cpython.git