bpo-30657: Fix CVE-2017-1000158 (#4758)

Fixes possible integer overflow in PyBytes_DecodeEscape.

Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>

diff --git a/Misc/ACKS b/Misc/ACKS
index 2e45f3d014bf04c03b51c1fda5ee0e2abd4310fc..9a73a222546a4cd692c69c816d74dffea3e228b7 100644 (file)
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -155,6 +155,7 @@ Gregory Bond
 Matias Bordese
 Jonas Borgström
 Jurjen Bos
+Jay Bosamiya
 Peter Bosch
 Dan Boswell
 Eric Bouck
@@ -616,6 +617,7 @@ Alan Hourihane
 Ken Howard
 Brad Howes
 Mike Hoy
+Miro Hrončok
 Chiu-Hsiang Hsu
 Chih-Hao Huang
 Christian Hudon

diff --git a/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst
new file mode 100644 (file)
index 0000000..75359b6
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst
@@ -0,0 +1,2 @@
+Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158.
+Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok.

diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index 27f406947208632acf37b30d58609ea9c24cf87f..08c91a265adcd2faa5b9ae43987e0ce4dd3fee60 100644 (file)
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -368,7 +368,13 @@ PyObject *PyBytes_DecodeEscape(const char *s,
     char *p, *buf;
     const char *end;
     PyObject *v;
-    Py_ssize_t newlen = recode_encoding ? 4*len:len;
+    Py_ssize_t newlen;
+    /* Check for integer overflow */
+    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+        PyErr_SetString(PyExc_OverflowError, "string is too large");
+        return NULL;
+    }
+    newlen = recode_encoding ? 4*len:len;
     v = PyBytes_FromStringAndSize((char *)NULL, newlen);
     if (v == NULL)
         return NULL;