[issue26171] heap overflow in zipimporter module
Insu Yun
report at bugs.python.org
Thu Jan 21 18:40:14 EST 2016
Insu Yun added the comment:
in zipimport.c
1116 bytes_size = compress == 0 ? data_size : data_size + 1;
1117 if (bytes_size == 0)
1118 bytes_size++;
1119 raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);
If compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26171>
_______________________________________
More information about the Python-bugs-list
mailing list