[Python-checkins] bpo-30657: Fix CVE-2017-1000158 (#4664)

larryhastings webhook-mailer at python.org
Fri Dec 8 16:34:20 EST 2017 

https://github.com/python/cpython/commit/fd8614c5c5466a14a945db5b059c10c0fb8f76d9
commit: fd8614c5c5466a14a945db5b059c10c0fb8f76d9
branch: 3.5
author: Miro Hrončok <miro at hroncok.cz>
committer: larryhastings <larry at hastings.org>
date: 2017-12-08T13:34:12-08:00
summary:

bpo-30657: Fix CVE-2017-1000158 (#4664)

Fixes possible integer overflow in PyBytes_DecodeEscape.

Co-Authored-By: Jay Bosamiya <jaybosamiya at gmail.com>

files:
A Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst
M Misc/ACKS
M Objects/bytesobject.c

diff --git a/Misc/ACKS b/Misc/ACKS
index fbf110d801b..1a35aad66ce 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -167,6 +167,7 @@ Médéric Boquien
 Matias Bordese
 Jonas Borgström
 Jurjen Bos
+Jay Bosamiya
 Peter Bosch
 Dan Boswell
 Eric Bouck
@@ -651,6 +652,7 @@ Ken Howard
 Brad Howes
 Mike Hoy
 Ben Hoyt
+Miro Hrončok
 Chiu-Hsiang Hsu
 Chih-Hao Huang
 Christian Hudon
diff --git a/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst
new file mode 100644
index 00000000000..75359b6d883
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst
@@ -0,0 +1,2 @@
+Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158.
+Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok.
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index 77dd45e84af..9b29dc38b44 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -970,7 +970,13 @@ PyObject *PyBytes_DecodeEscape(const char *s,
     char *p, *buf;
     const char *end;
     PyObject *v;
-    Py_ssize_t newlen = recode_encoding ? 4*len:len;
+    Py_ssize_t newlen;
+    /* Check for integer overflow */
+    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+        PyErr_SetString(PyExc_OverflowError, "string is too large");
+        return NULL;
+    }
+    newlen = recode_encoding ? 4*len:len;
     v = PyBytes_FromStringAndSize((char *)NULL, newlen);
     if (v == NULL)
         return NULL;

More information about the Python-checkins mailing list