Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 161579 Details for
Bug 232137
dev-lang/python Multiple vulnerabilities (CVE-2008-{3142,3143,3144})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
python-2.4.4-CVE-2008-3143.patch
python-2.4.4-CVE-2008-3143.patch (text/plain), 28.64 KB, created by
Robert Buchholz (RETIRED)
on 2008-07-28 20:22:25 UTC
(
hide
)
Description:
python-2.4.4-CVE-2008-3143.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-07-28 20:22:25 UTC
Size:
28.64 KB
patch
obsolete
>r61180 | martin.v.loewis | 2008-03-02 20:20:32 +0100 (Sun, 02 Mar 2008) | 5 lines > >Backport of r60793: >Added checks for integer overflows, contributed by Google. Some are >only available if asserts are left in the code, in cases where they >can't be triggered from Python code. > >Index: Python-2.4.4/Python/bltinmodule.c >=================================================================== >--- Python-2.4.4.orig/Python/bltinmodule.c >+++ Python-2.4.4/Python/bltinmodule.c >@@ -2376,11 +2376,43 @@ filterstring(PyObject *func, PyObject *s > PyString_AS_STRING(item)[0]; > } else { > /* do we need more space? */ >- int need = j + reslen + len-i-1; >+ int need = j; >+ >+ /* calculate space requirements while checking for overflow */ >+ if (need > INT_MAX - reslen) { >+ Py_DECREF(item); >+ goto Fail_1; >+ } >+ >+ need += reslen; >+ >+ if (need > INT_MAX - len) { >+ Py_DECREF(item); >+ goto Fail_1; >+ } >+ >+ need += len; >+ >+ if (need <= i) { >+ Py_DECREF(item); >+ goto Fail_1; >+ } >+ >+ need = need - i - 1; >+ >+ assert(need >= 0); >+ assert(outlen >= 0); >+ > if (need > outlen) { > /* overallocate, to avoid reallocations */ >- if (need<2*outlen) >+ if (outlen > INT_MAX / 2) { >+ Py_DECREF(item); >+ return NULL; >+ } >+ >+ if (need<2*outlen) { > need = 2*outlen; >+ } > if (_PyString_Resize(&result, need)) { > Py_DECREF(item); > return NULL; >@@ -2472,11 +2504,31 @@ filterunicode(PyObject *func, PyObject * > else { > /* do we need more space? */ > int need = j + reslen + len - i - 1; >+ >+ /* check that didnt overflow */ >+ if ((j > INT_MAX - reslen) || >+ ((j + reslen) > INT_MAX - len) || >+ ((j + reslen + len) < i) || >+ ((j + reslen + len - i) <= 0)) { >+ Py_DECREF(item); >+ return NULL; >+ } >+ >+ assert(need >= 0); >+ assert(outlen >= 0); >+ > if (need > outlen) { > /* overallocate, > to avoid reallocations */ >- if (need < 2 * outlen) >- need = 2 * outlen; >+ if (need < 2 * outlen) { >+ if (outlen > INT_MAX / 2) { >+ Py_DECREF(item); >+ return NULL; >+ } else { >+ need = 2 * outlen; >+ } >+ } >+ > if (PyUnicode_Resize( > &result, need) < 0) { > Py_DECREF(item); >Index: Python-2.4.4/Include/pyport.h >=================================================================== >--- Python-2.4.4.orig/Include/pyport.h >+++ Python-2.4.4/Include/pyport.h >@@ -616,6 +616,17 @@ typedef struct fd_set { > #error "LONG_BIT definition appears wrong for platform (bad gcc/glibc config?)." > #endif > >+/* Largest possible value of size_t. >+ SIZE_MAX is part of C99, so it might be defined on some >+ platforms. If it is not defined, (size_t)-1 is a portable >+ definition for C89, due to the way signed->unsigned >+ conversion is defined. */ >+#ifdef SIZE_MAX >+#define PY_SIZE_MAX SIZE_MAX >+#else >+#define PY_SIZE_MAX ((size_t)-1) >+#endif >+ > #ifdef __cplusplus > } > #endif >Index: Python-2.4.4/Include/pymem.h >=================================================================== >--- Python-2.4.4.orig/Include/pymem.h >+++ Python-2.4.4/Include/pymem.h >@@ -86,14 +86,18 @@ PyAPI_FUNC(void) PyMem_Free(void *); > */ > > #define PyMem_New(type, n) \ >- ( (type *) PyMem_Malloc((n) * sizeof(type)) ) >+ ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ >+ ( (type *) PyMem_Malloc((n) * sizeof(type)) ) ) > #define PyMem_NEW(type, n) \ >- ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) >+ ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ >+ ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) ) > > #define PyMem_Resize(p, type, n) \ >- ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) >+ ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ >+ ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) ) > #define PyMem_RESIZE(p, type, n) \ >- ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) >+ ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ >+ ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) ) > > /* In order to avoid breaking old code mixing PyObject_{New, NEW} with > PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory" >Index: Python-2.4.4/Objects/bufferobject.c >=================================================================== >--- Python-2.4.4.orig/Objects/bufferobject.c >+++ Python-2.4.4/Objects/bufferobject.c >@@ -167,6 +167,10 @@ PyBuffer_New(int size) > "size must be zero or positive"); > return NULL; > } >+ if (sizeof(*b) > INT_MAX - size) { >+ /* unlikely */ >+ return PyErr_NoMemory(); >+ } > /* Inline PyObject_New */ > o = PyObject_MALLOC(sizeof(*b) + size); > if ( o == NULL ) >@@ -355,6 +359,8 @@ buffer_concat(PyBufferObject *self, PyOb > if ( (count = (*pb->bf_getreadbuffer)(other, 0, &ptr2)) < 0 ) > return NULL; > >+ assert(count <= PY_SIZE_MAX - size); >+ > ob = PyString_FromStringAndSize(NULL, size + count); > p = PyString_AS_STRING(ob); > memcpy(p, ptr1, size); >Index: Python-2.4.4/Objects/listobject.c >=================================================================== >--- Python-2.4.4.orig/Objects/listobject.c >+++ Python-2.4.4/Objects/listobject.c >@@ -45,7 +45,16 @@ list_resize(PyListObject *self, int news > * system realloc(). > * The growth pattern is: 0, 4, 8, 16, 25, 35, 46, 58, 72, 88, ... > */ >- new_allocated = (newsize >> 3) + (newsize < 9 ? 3 : 6) + newsize; >+ new_allocated = (newsize >> 3) + (newsize < 9 ? 3 : 6); >+ >+ /* check for integer overflow */ >+ if (new_allocated > PY_SIZE_MAX - newsize) { >+ PyErr_NoMemory(); >+ return -1; >+ } else { >+ new_allocated += newsize; >+ } >+ > if (newsize == 0) > new_allocated = 0; > items = self->ob_item; >@@ -92,8 +101,9 @@ PyList_New(int size) > return NULL; > } > nbytes = size * sizeof(PyObject *); >- /* Check for overflow */ >- if (nbytes / sizeof(PyObject *) != (size_t)size) >+ /* Check for overflow without an actual overflow, >+ * which can cause compiler to optimise out */ >+ if (size > PY_SIZE_MAX / sizeof(PyObject *)) > return PyErr_NoMemory(); > if (num_free_lists) { > num_free_lists--; >@@ -1372,6 +1382,10 @@ merge_getmem(MergeState *ms, int need) > * we don't care what's in the block. > */ > merge_freemem(ms); >+ if (need > INT_MAX / sizeof(PyObject*)) { >+ PyErr_NoMemory(); >+ return -1; >+ } > ms->a = (PyObject **)PyMem_Malloc(need * sizeof(PyObject*)); > if (ms->a) { > ms->alloced = need; >@@ -2550,6 +2564,8 @@ list_ass_subscript(PyListObject* self, P > step = -step; > } > >+ assert(slicelength <= PY_SIZE_MAX / sizeof(PyObject*)); >+ > garbage = (PyObject**) > PyMem_MALLOC(slicelength*sizeof(PyObject*)); > if (!garbage) { >Index: Python-2.4.4/Misc/NEWS >=================================================================== >--- Python-2.4.4.orig/Misc/NEWS >+++ Python-2.4.4/Misc/NEWS >@@ -23,6 +23,10 @@ What's New in Python 2.4.4c1? > Core and builtins > ----------------- > >+- Added checks for integer overflows, contributed by Google. Some are >+ only available if asserts are left in the code, in cases where they >+ can't be triggered from Python code. >+ > - Bug #1456209: In some obscure cases it was possible for a class with a > custom ``__eq__()`` method to confuse dict internals when class instances > were used as a dict's keys and the ``__eq__()`` method mutated the dict. >Index: Python-2.4.4/Parser/node.c >=================================================================== >--- Python-2.4.4.orig/Parser/node.c >+++ Python-2.4.4/Parser/node.c >@@ -91,6 +91,9 @@ PyNode_AddChild(register node *n1, int t > if (current_capacity < 0 || required_capacity < 0) > return E_OVERFLOW; > if (current_capacity < required_capacity) { >+ if (required_capacity > PY_SIZE_MAX / sizeof(node)) { >+ return E_NOMEM; >+ } > n = n1->n_child; > n = (node *) PyObject_REALLOC(n, > required_capacity * sizeof(node)); >Index: Python-2.4.4/Modules/rgbimgmodule.c >=================================================================== >--- Python-2.4.4.orig/Modules/rgbimgmodule.c >+++ Python-2.4.4/Modules/rgbimgmodule.c >@@ -269,7 +269,7 @@ longimagedata(PyObject *self, PyObject * > Py_Int32 *starttab = NULL, *lengthtab = NULL; > FILE *inf = NULL; > IMAGE image; >- int y, z, tablen; >+ int y, z, tablen, new_size; > int xsize, ysize, zsize; > int bpp, rle, cur, badorder; > int rlebuflen; >@@ -306,9 +306,15 @@ longimagedata(PyObject *self, PyObject * > } > if (rle) { > tablen = ysize * zsize * sizeof(Py_Int32); >+ rlebuflen = (int) (1.05 * xsize +10); >+ if ((tablen / sizeof(Py_Int32)) != (ysize * zsize) || >+ rlebuflen < 0) { >+ PyErr_NoMemory(); >+ goto finally; >+ } >+ > starttab = (Py_Int32 *)malloc(tablen); > lengthtab = (Py_Int32 *)malloc(tablen); >- rlebuflen = (int) (1.05 * xsize +10); > rledat = (unsigned char *)malloc(rlebuflen); > if (!starttab || !lengthtab || !rledat) { > PyErr_NoMemory(); >@@ -336,8 +342,14 @@ longimagedata(PyObject *self, PyObject * > > fseek(inf, 512 + 2 * tablen, SEEK_SET); > cur = 512 + 2 * tablen; >+ new_size = xsize * ysize + TAGLEN; >+ if (new_size < 0 || (new_size * sizeof(Py_Int32)) < 0) { >+ PyErr_NoMemory(); >+ goto finally; >+ } >+ > rv = PyString_FromStringAndSize((char *)NULL, >- (xsize * ysize + TAGLEN) * sizeof(Py_Int32)); >+ new_size * sizeof(Py_Int32)); > if (rv == NULL) > goto finally; > >@@ -405,8 +417,14 @@ longimagedata(PyObject *self, PyObject * > copybw((Py_Int32 *) base, xsize * ysize); > } > else { >+ new_size = xsize * ysize + TAGLEN; >+ if (new_size < 0 || (new_size * sizeof(Py_Int32)) < 0) { >+ PyErr_NoMemory(); >+ goto finally; >+ } >+ > rv = PyString_FromStringAndSize((char *) 0, >- (xsize*ysize+TAGLEN)*sizeof(Py_Int32)); >+ new_size*sizeof(Py_Int32)); > if (rv == NULL) > goto finally; > >@@ -595,10 +613,16 @@ longstoimage(PyObject *self, PyObject *a > return NULL; > } > tablen = ysize * zsize * sizeof(Py_Int32); >+ rlebuflen = (int) (1.05 * xsize + 10); >+ >+ if ((tablen / sizeof(Py_Int32)) != (ysize * zsize) || >+ rlebuflen < 0 || (xsize * sizeof(Py_Int32)) < 0) { >+ PyErr_NoMemory(); >+ goto finally; >+ } > > starttab = (Py_Int32 *)malloc(tablen); > lengthtab = (Py_Int32 *)malloc(tablen); >- rlebuflen = (int) (1.05 * xsize + 10); > rlebuf = (unsigned char *)malloc(rlebuflen); > lumbuf = (unsigned char *)malloc(xsize * sizeof(Py_Int32)); > if (!starttab || !lengthtab || !rlebuf || !lumbuf) { >Index: Python-2.4.4/Modules/datetimemodule.c >=================================================================== >--- Python-2.4.4.orig/Modules/datetimemodule.c >+++ Python-2.4.4/Modules/datetimemodule.c >@@ -1111,6 +1111,8 @@ format_utcoffset(char *buf, size_t bufle > char sign; > int none; > >+ assert(buflen >= 1); >+ > offset = call_utcoffset(tzinfo, tzinfoarg, &none); > if (offset == -1 && PyErr_Occurred()) > return -1; >@@ -1188,6 +1190,11 @@ wrap_strftime(PyObject *object, PyObject > * a new format. Since computing the replacements for those codes > * is expensive, don't unless they're actually used. > */ >+ if (PyString_Size(format) > INT_MAX - 1) { >+ PyErr_NoMemory(); >+ goto Done; >+ } >+ > totalnew = PyString_Size(format) + 1; /* realistic if no %z/%Z */ > newfmt = PyString_FromStringAndSize(NULL, totalnew); > if (newfmt == NULL) goto Done; >Index: Python-2.4.4/Modules/cjkcodecs/multibytecodec.c >=================================================================== >--- Python-2.4.4.orig/Modules/cjkcodecs/multibytecodec.c >+++ Python-2.4.4/Modules/cjkcodecs/multibytecodec.c >@@ -100,12 +100,16 @@ get_errorcallback(const char *errors) > static int > expand_encodebuffer(MultibyteEncodeBuffer *buf, int esize) > { >- int orgpos, orgsize; >+ int orgpos, orgsize, incsize; > > orgpos = (int)((char*)buf->outbuf - PyString_AS_STRING(buf->outobj)); > orgsize = PyString_GET_SIZE(buf->outobj); >- if (_PyString_Resize(&buf->outobj, orgsize + ( >- esize < (orgsize >> 1) ? (orgsize >> 1) | 1 : esize)) == -1) >+ incsize = (esize < (orgsize >> 1) ? (orgsize >> 1) | 1 : esize); >+ >+ if (orgsize > INT_MAX - incsize) >+ return -1; >+ >+ if (_PyString_Resize(&buf->outobj, orgsize + incsize) == -1) > return -1; > > buf->outbuf = (unsigned char *)PyString_AS_STRING(buf->outobj) +orgpos; >@@ -416,6 +420,12 @@ multibytecodec_encode(MultibyteCodec *co > buf.excobj = NULL; > buf.inbuf = buf.inbuf_top = *data; > buf.inbuf_end = buf.inbuf_top + datalen; >+ >+ if (datalen > (INT_MAX - 16) / 2) { >+ PyErr_NoMemory(); >+ goto errorexit; >+ } >+ > buf.outobj = PyString_FromStringAndSize(NULL, datalen * 2 + 16); > if (buf.outobj == NULL) > goto errorexit; >@@ -725,6 +735,10 @@ mbstreamreader_iread(MultibyteStreamRead > PyObject *ctr; > char *ctrdata; > >+ if (PyString_GET_SIZE(cres) > INT_MAX - self->pendingsize) { >+ PyErr_NoMemory(); >+ goto errorexit; >+ } > rsize = PyString_GET_SIZE(cres) + self->pendingsize; > ctr = PyString_FromStringAndSize(NULL, rsize); > if (ctr == NULL) >Index: Python-2.4.4/Modules/arraymodule.c >=================================================================== >--- Python-2.4.4.orig/Modules/arraymodule.c >+++ Python-2.4.4/Modules/arraymodule.c >@@ -651,6 +651,9 @@ array_concat(arrayobject *a, PyObject *b > PyErr_BadArgument(); > return NULL; > } >+ if (a->ob_size > INT_MAX - b->ob_size) { >+ return PyErr_NoMemory(); >+ } > size = a->ob_size + b->ob_size; > np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr); > if (np == NULL) { >@@ -673,6 +676,9 @@ array_repeat(arrayobject *a, int n) > int nbytes; > if (n < 0) > n = 0; >+ if ((a->ob_size != 0) && (n > INT_MAX / a->ob_size)) { >+ return PyErr_NoMemory(); >+ } > size = a->ob_size * n; > np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr); > if (np == NULL) >@@ -817,6 +823,11 @@ array_do_extend(arrayobject *self, PyObj > "can only extend with array of same kind"); > return -1; > } >+ if ((self->ob_size > INT_MAX - b->ob_size) || >+ ((self->ob_size + b->ob_size) > INT_MAX / self->ob_descr->itemsize)) { >+ PyErr_NoMemory(); >+ return -1; >+ } > size = self->ob_size + b->ob_size; > PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize); > if (self->ob_item == NULL) { >@@ -858,6 +869,10 @@ array_inplace_repeat(arrayobject *self, > if (n < 0) > n = 0; > items = self->ob_item; >+ if ((self->ob_descr->itemsize != 0) && >+ (self->ob_size > INT_MAX / self->ob_descr->itemsize)) { >+ return PyErr_NoMemory(); >+ } > size = self->ob_size * self->ob_descr->itemsize; > if (n == 0) { > PyMem_FREE(items); >@@ -866,6 +881,9 @@ array_inplace_repeat(arrayobject *self, > self->allocated = 0; > } > else { >+ if (size > INT_MAX / n) { >+ return PyErr_NoMemory(); >+ } > PyMem_Resize(items, char, n * size); > if (items == NULL) > return PyErr_NoMemory(); >@@ -1278,6 +1296,9 @@ array_fromlist(arrayobject *self, PyObje > if ((*self->ob_descr->setitem)(self, > self->ob_size - n + i, v) != 0) { > self->ob_size -= n; >+ if (itemsize && (self->ob_size > INT_MAX / itemsize)) { >+ return PyErr_NoMemory(); >+ } > PyMem_RESIZE(item, char, > self->ob_size * itemsize); > self->ob_item = item; >@@ -1337,6 +1358,10 @@ array_fromstring(arrayobject *self, PyOb > n = n / itemsize; > if (n > 0) { > char *item = self->ob_item; >+ if ((n > INT_MAX - self->ob_size) || >+ ((self->ob_size + n) > INT_MAX / itemsize)) { >+ return PyErr_NoMemory(); >+ } > PyMem_RESIZE(item, char, (self->ob_size + n) * itemsize); > if (item == NULL) { > PyErr_NoMemory(); >@@ -1362,8 +1387,12 @@ values,as if it had been read from a fil > static PyObject * > array_tostring(arrayobject *self, PyObject *unused) > { >- return PyString_FromStringAndSize(self->ob_item, >+ if (self->ob_size <= INT_MAX / self->ob_descr->itemsize) { >+ return PyString_FromStringAndSize(self->ob_item, > self->ob_size * self->ob_descr->itemsize); >+ } else { >+ return PyErr_NoMemory(); >+ } > } > > PyDoc_STRVAR(tostring_doc, >@@ -1391,6 +1420,9 @@ array_fromunicode(arrayobject *self, PyO > } > if (n > 0) { > Py_UNICODE *item = (Py_UNICODE *) self->ob_item; >+ if (self->ob_size > INT_MAX - n) { >+ return PyErr_NoMemory(); >+ } > PyMem_RESIZE(item, Py_UNICODE, self->ob_size + n); > if (item == NULL) { > PyErr_NoMemory(); >Index: Python-2.4.4/Modules/cStringIO.c >=================================================================== >--- Python-2.4.4.orig/Modules/cStringIO.c >+++ Python-2.4.4/Modules/cStringIO.c >@@ -121,6 +121,7 @@ PyDoc_STRVAR(IO_getval__doc__, > static PyObject * > IO_cgetval(PyObject *self) { > UNLESS (IO__opencheck(IOOOBJECT(self))) return NULL; >+ assert(IOOOBJECT(self)->pos >= 0); > return PyString_FromStringAndSize(((IOobject*)self)->buf, > ((IOobject*)self)->pos); > } >@@ -139,6 +140,7 @@ IO_getval(IOobject *self, PyObject *args > } > else > s=self->string_size; >+ assert(self->pos >= 0); > return PyString_FromStringAndSize(self->buf, s); > } > >@@ -158,6 +160,8 @@ IO_cread(PyObject *self, char **output, > int l; > > UNLESS (IO__opencheck(IOOOBJECT(self))) return -1; >+ assert(IOOOBJECT(self)->pos >= 0); >+ assert(IOOOBJECT(self)->string_size >= 0); > l = ((IOobject*)self)->string_size - ((IOobject*)self)->pos; > if (n < 0 || n > l) { > n = l; >@@ -197,6 +201,11 @@ IO_creadline(PyObject *self, char **outp > > *output=((IOobject*)self)->buf + ((IOobject*)self)->pos; > l = n - ((IOobject*)self)->buf - ((IOobject*)self)->pos; >+ >+ assert(IOOOBJECT(self)->pos <= INT_MAX - l); >+ assert(IOOOBJECT(self)->pos >= 0); >+ assert(IOOOBJECT(self)->string_size >= 0); >+ > ((IOobject*)self)->pos += l; > return l; > } >@@ -215,6 +224,7 @@ IO_readline(IOobject *self, PyObject *ar > n -= m; > self->pos -= m; > } >+ assert(IOOOBJECT(self)->pos >= 0); > return PyString_FromStringAndSize(output, n); > } > >@@ -277,6 +287,7 @@ IO_tell(IOobject *self, PyObject *unused > > UNLESS (IO__opencheck(self)) return NULL; > >+ assert(self->pos >= 0); > return PyInt_FromLong(self->pos); > } > >Index: Python-2.4.4/Modules/stropmodule.c >=================================================================== >--- Python-2.4.4.orig/Modules/stropmodule.c >+++ Python-2.4.4/Modules/stropmodule.c >@@ -576,7 +576,7 @@ strop_expandtabs(PyObject *self, PyObjec > char* e; > char* p; > char* q; >- int i, j; >+ int i, j, old_j; > PyObject* out; > char* string; > int stringlen; >@@ -593,12 +593,18 @@ strop_expandtabs(PyObject *self, PyObjec > } > > /* First pass: determine size of output string */ >- i = j = 0; /* j: current column; i: total of previous lines */ >+ i = j = old_j = 0; /* j: current column; i: total of previous lines */ > e = string + stringlen; > for (p = string; p < e; p++) { >- if (*p == '\t') >+ if (*p == '\t') { > j += tabsize - (j%tabsize); >- else { >+ if (old_j > j) { >+ PyErr_SetString(PyExc_OverflowError, >+ "new string is too long"); >+ return NULL; >+ } >+ old_j = j; >+ } else { > j++; > if (*p == '\n') { > i += j; >@@ -607,6 +613,11 @@ strop_expandtabs(PyObject *self, PyObjec > } > } > >+ if ((i + j) < 0) { >+ PyErr_SetString(PyExc_OverflowError, "new string is too long"); >+ return NULL; >+ } >+ > /* Second pass: create output string and fill it */ > out = PyString_FromStringAndSize(NULL, i+j); > if (out == NULL) >Index: Python-2.4.4/Modules/binascii.c >=================================================================== >--- Python-2.4.4.orig/Modules/binascii.c >+++ Python-2.4.4/Modules/binascii.c >@@ -194,6 +194,8 @@ binascii_a2b_uu(PyObject *self, PyObject > if ( !PyArg_ParseTuple(args, "t#:a2b_uu", &ascii_data, &ascii_len) ) > return NULL; > >+ assert(ascii_len >= 0); >+ > /* First byte: binary data length (in bytes) */ > bin_len = (*ascii_data++ - ' ') & 077; > ascii_len--; >@@ -347,6 +349,11 @@ binascii_a2b_base64(PyObject *self, PyOb > if ( !PyArg_ParseTuple(args, "t#:a2b_base64", &ascii_data, &ascii_len) ) > return NULL; > >+ assert(ascii_len >= 0); >+ >+ if (ascii_len > INT_MAX - 3) >+ return PyErr_NoMemory(); >+ > bin_len = ((ascii_len+3)/4)*3; /* Upper bound, corrected later */ > > /* Allocate the buffer */ >@@ -436,6 +443,9 @@ binascii_b2a_base64(PyObject *self, PyOb > > if ( !PyArg_ParseTuple(args, "s#:b2a_base64", &bin_data, &bin_len) ) > return NULL; >+ >+ assert(bin_len >= 0); >+ > if ( bin_len > BASE64_MAXBIN ) { > PyErr_SetString(Error, "Too much data for base64 line"); > return NULL; >@@ -491,6 +501,11 @@ binascii_a2b_hqx(PyObject *self, PyObjec > if ( !PyArg_ParseTuple(args, "t#:a2b_hqx", &ascii_data, &len) ) > return NULL; > >+ assert(len >= 0); >+ >+ if (len > INT_MAX - 2) >+ return PyErr_NoMemory(); >+ > /* Allocate a string that is too big (fixed later) > Add two to the initial length to prevent interning which > would preclude subsequent resizing. */ >@@ -554,6 +569,11 @@ binascii_rlecode_hqx(PyObject *self, PyO > if ( !PyArg_ParseTuple(args, "s#:rlecode_hqx", &in_data, &len) ) > return NULL; > >+ assert(len >= 0); >+ >+ if (len > INT_MAX / 2 - 2) >+ return PyErr_NoMemory(); >+ > /* Worst case: output is twice as big as input (fixed later) */ > if ( (rv=PyString_FromStringAndSize(NULL, len*2+2)) == NULL ) > return NULL; >@@ -603,6 +623,11 @@ binascii_b2a_hqx(PyObject *self, PyObjec > if ( !PyArg_ParseTuple(args, "s#:b2a_hqx", &bin_data, &len) ) > return NULL; > >+ assert(len >= 0); >+ >+ if (len > INT_MAX / 2 - 2) >+ return PyErr_NoMemory(); >+ > /* Allocate a buffer that is at least large enough */ > if ( (rv=PyString_FromStringAndSize(NULL, len*2+2)) == NULL ) > return NULL; >@@ -641,9 +666,13 @@ binascii_rledecode_hqx(PyObject *self, P > if ( !PyArg_ParseTuple(args, "s#:rledecode_hqx", &in_data, &in_len) ) > return NULL; > >+ assert(in_len >= 0); >+ > /* Empty string is a special case */ > if ( in_len == 0 ) > return Py_BuildValue("s", ""); >+ else if (in_len > INT_MAX / 2) >+ return PyErr_NoMemory(); > > /* Allocate a buffer of reasonable size. Resized when needed */ > out_len = in_len*2; >@@ -669,6 +698,7 @@ binascii_rledecode_hqx(PyObject *self, P > #define OUTBYTE(b) \ > do { \ > if ( --out_len_left < 0 ) { \ >+ if ( out_len > INT_MAX / 2) return PyErr_NoMemory(); \ > _PyString_Resize(&rv, 2*out_len); \ > if ( rv == NULL ) return NULL; \ > out_data = (unsigned char *)PyString_AsString(rv) \ >@@ -737,7 +767,7 @@ binascii_crc_hqx(PyObject *self, PyObjec > if ( !PyArg_ParseTuple(args, "s#i:crc_hqx", &bin_data, &len, &crc) ) > return NULL; > >- while(len--) { >+ while(len-- > 0) { > crc=((crc<<8)&0xff00)^crctab_hqx[((crc>>8)&0xff)^*bin_data++]; > } > >@@ -881,7 +911,7 @@ binascii_crc32(PyObject *self, PyObject > /* only want the trailing 32 bits */ > crc &= 0xFFFFFFFFUL; > #endif >- while (len--) >+ while (len-- > 0) > crc = crc_32_tab[(crc ^ *bin_data++) & 0xffUL] ^ (crc >> 8); > /* Note: (crc >> 8) MUST zero fill on left */ > >@@ -911,6 +941,10 @@ binascii_hexlify(PyObject *self, PyObjec > if (!PyArg_ParseTuple(args, "s#:b2a_hex", &argbuf, &arglen)) > return NULL; > >+ assert(arglen >= 0); >+ if (arglen > INT_MAX / 2) >+ return PyErr_NoMemory(); >+ > retval = PyString_FromStringAndSize(NULL, arglen*2); > if (!retval) > return NULL; >@@ -968,6 +1002,8 @@ binascii_unhexlify(PyObject *self, PyObj > if (!PyArg_ParseTuple(args, "s#:a2b_hex", &argbuf, &arglen)) > return NULL; > >+ assert(arglen >= 0); >+ > /* XXX What should we do about strings with an odd length? Should > * we add an implicit leading zero, or a trailing zero? For now, > * raise an exception. >Index: Python-2.4.4/Modules/audioop.c >=================================================================== >--- Python-2.4.4.orig/Modules/audioop.c >+++ Python-2.4.4/Modules/audioop.c >@@ -674,7 +674,7 @@ static PyObject * > audioop_tostereo(PyObject *self, PyObject *args) > { > signed char *cp, *ncp; >- int len, size, val1, val2, val = 0; >+ int len, new_len, size, val1, val2, val = 0; > double fac1, fac2, fval, maxval; > PyObject *rv; > int i; >@@ -690,7 +690,14 @@ audioop_tostereo(PyObject *self, PyObjec > return 0; > } > >- rv = PyString_FromStringAndSize(NULL, len*2); >+ new_len = len*2; >+ if (new_len < 0) { >+ PyErr_SetString(PyExc_MemoryError, >+ "not enough memory for output buffer"); >+ return 0; >+ } >+ >+ rv = PyString_FromStringAndSize(NULL, new_len); > if ( rv == 0 ) > return 0; > ncp = (signed char *)PyString_AsString(rv); >@@ -853,7 +860,7 @@ audioop_lin2lin(PyObject *self, PyObject > { > signed char *cp; > unsigned char *ncp; >- int len, size, size2, val = 0; >+ int len, new_len, size, size2, val = 0; > PyObject *rv; > int i, j; > >@@ -867,7 +874,13 @@ audioop_lin2lin(PyObject *self, PyObject > return 0; > } > >- rv = PyString_FromStringAndSize(NULL, (len/size)*size2); >+ new_len = (len/size)*size2; >+ if (new_len < 0) { >+ PyErr_SetString(PyExc_MemoryError, >+ "not enough memory for output buffer"); >+ return 0; >+ } >+ rv = PyString_FromStringAndSize(NULL, new_len); > if ( rv == 0 ) > return 0; > ncp = (unsigned char *)PyString_AsString(rv); >@@ -903,6 +916,7 @@ audioop_ratecv(PyObject *self, PyObject > int chan, d, *prev_i, *cur_i, cur_o; > PyObject *state, *samps, *str, *rv = NULL; > int bytes_per_frame; >+ size_t alloc_size; > > weightA = 1; > weightB = 0; >@@ -944,8 +958,14 @@ audioop_ratecv(PyObject *self, PyObject > inrate /= d; > outrate /= d; > >- prev_i = (int *) malloc(nchannels * sizeof(int)); >- cur_i = (int *) malloc(nchannels * sizeof(int)); >+ alloc_size = sizeof(int) * (unsigned)nchannels; >+ if (alloc_size < nchannels) { >+ PyErr_SetString(PyExc_MemoryError, >+ "not enough memory for output buffer"); >+ return 0; >+ } >+ prev_i = (int *) malloc(alloc_size); >+ cur_i = (int *) malloc(alloc_size); > if (prev_i == NULL || cur_i == NULL) { > (void) PyErr_NoMemory(); > goto exit; >@@ -1116,7 +1136,7 @@ audioop_ulaw2lin(PyObject *self, PyObjec > unsigned char *cp; > unsigned char cval; > signed char *ncp; >- int len, size, val; >+ int len, new_len, size, val; > PyObject *rv; > int i; > >@@ -1129,12 +1149,18 @@ audioop_ulaw2lin(PyObject *self, PyObjec > return 0; > } > >- rv = PyString_FromStringAndSize(NULL, len*size); >+ new_len = len*size; >+ if (new_len < 0) { >+ PyErr_SetString(PyExc_MemoryError, >+ "not enough memory for output buffer"); >+ return 0; >+ } >+ rv = PyString_FromStringAndSize(NULL, new_len); > if ( rv == 0 ) > return 0; > ncp = (signed char *)PyString_AsString(rv); > >- for ( i=0; i < len*size; i += size ) { >+ for ( i=0; i < new_len; i += size ) { > cval = *cp++; > val = st_ulaw_to_linear(cval); > >@@ -1259,7 +1285,7 @@ audioop_adpcm2lin(PyObject *self, PyObje > { > signed char *cp; > signed char *ncp; >- int len, size, valpred, step, delta, index, sign, vpdiff; >+ int len, new_len, size, valpred, step, delta, index, sign, vpdiff; > PyObject *rv, *str, *state; > int i, inputbuffer = 0, bufferstep; > >@@ -1281,7 +1307,13 @@ audioop_adpcm2lin(PyObject *self, PyObje > } else if ( !PyArg_Parse(state, "(ii)", &valpred, &index) ) > return 0; > >- str = PyString_FromStringAndSize(NULL, len*size*2); >+ new_len = len*size*2; >+ if (new_len < 0) { >+ PyErr_SetString(PyExc_MemoryError, >+ "not enough memory for output buffer"); >+ return 0; >+ } >+ str = PyString_FromStringAndSize(NULL, new_len); > if ( str == 0 ) > return 0; > ncp = (signed char *)PyString_AsString(str); >@@ -1289,7 +1321,7 @@ audioop_adpcm2lin(PyObject *self, PyObje > step = stepsizeTable[index]; > bufferstep = 0; > >- for ( i=0; i < len*size*2; i += size ) { >+ for ( i=0; i < new_len; i += size ) { > /* Step 1 - get the delta value and compute next index */ > if ( bufferstep ) { > delta = inputbuffer & 0xf; >Index: Python-2.4.4/Modules/cPickle.c >=================================================================== >--- Python-2.4.4.orig/Modules/cPickle.c >+++ Python-2.4.4/Modules/cPickle.c >@@ -3419,6 +3419,14 @@ load_binstring(Unpicklerobject *self) > if (self->read_func(self, &s, 4) < 0) return -1; > > l = calc_binint(s, 4); >+ if (l < 0) { >+ /* Corrupt or hostile pickle -- we never write one like >+ * this. >+ */ >+ PyErr_SetString(UnpicklingError, >+ "BINSTRING pickle has negative byte count"); >+ return -1; >+ } > > if (self->read_func(self, &s, l) < 0) > return -1; >@@ -3486,6 +3494,14 @@ load_binunicode(Unpicklerobject *self) > if (self->read_func(self, &s, 4) < 0) return -1; > > l = calc_binint(s, 4); >+ if (l < 0) { >+ /* Corrupt or hostile pickle -- we never write one like >+ * this. >+ */ >+ PyErr_SetString(UnpicklingError, >+ "BINUNICODE pickle has negative byte count"); >+ return -1; >+ } > > if (self->read_func(self, &s, l) < 0) > return -1; >Index: Python-2.4.4/Modules/_csv.c >=================================================================== >--- Python-2.4.4.orig/Modules/_csv.c >+++ Python-2.4.4/Modules/_csv.c >@@ -470,6 +470,10 @@ parse_grow_buff(ReaderObj *self) > self->field = PyMem_Malloc(self->field_size); > } > else { >+ if (self->field_size > INT_MAX / 2) { >+ PyErr_NoMemory(); >+ return 0; >+ } > self->field_size *= 2; > self->field = PyMem_Realloc(self->field, self->field_size); > } >@@ -1003,6 +1007,12 @@ join_append_data(WriterObj *self, char * > static int > join_check_rec_size(WriterObj *self, int rec_len) > { >+ >+ if (rec_len < 0 || rec_len > INT_MAX - MEM_INCR) { >+ PyErr_NoMemory(); >+ return 0; >+ } >+ > if (rec_len > self->rec_size) { > if (self->rec_size == 0) { > self->rec_size = (rec_len / MEM_INCR + 1) * MEM_INCR;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=161579">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 232137
:
160679
|
161577
| 161579
