diff options
| author | Martin Wilke <miwi@FreeBSD.org> | 2008-09-08 00:14:06 +0000 |
|---|---|---|
| committer | Martin Wilke <miwi@FreeBSD.org> | 2008-09-08 00:14:06 +0000 |
| commit | 8a1ff65b9b4abb36af6477b5c168037be07d4f71 (patch) | |
| tree | b9ac213a94e3a8e1c94343b9c5297f42639bc33e /lang/python26/files/patch-objects_stringobject.c | |
| parent | 07d5244e8b5f934bc45867d9c55e8e55d26af59e (diff) | |
- Security fixes
Multiple vulnerabilities:
1) Various integer overflow errors exist in core modules e.g. stringobject,
unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule.
2) An integer overflow in the hashlib module can lead to an unreliable cryptographic digest results.
3) Integer overflow errors in the processing of unicode strings can be exploited to cause
buffer overflows on 32-bit systems.
4) An integer overflow exists in the PyOS_vsnprintf() function on architectures that do not
have a "vsnprintf()" function.
5) An integer underflow error in the PyOS_vsnprintf() function when passing zero-length strings
can lead to memory corruption.
PR: 127172 (based on)
Submitted by: bf <bf2006a@yahoo.com>
Obtained from: python svn
Security: CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3144, CVE-2008-3143. (vuxml come later)
Notes
Notes:
svn path=/head/; revision=220193
Diffstat (limited to 'lang/python26/files/patch-objects_stringobject.c')
| -rw-r--r-- | lang/python26/files/patch-objects_stringobject.c | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/lang/python26/files/patch-objects_stringobject.c b/lang/python26/files/patch-objects_stringobject.c new file mode 100644 index 000000000000..af55c78a4928 --- /dev/null +++ b/lang/python26/files/patch-objects_stringobject.c @@ -0,0 +1,49 @@ +--- Objects/stringobject.c.orig 2007-11-07 01:19:49.000000000 +0000 ++++ Objects/stringobject.c 2008-08-30 10:16:13.000000000 +0100 +@@ -71,6 +71,11 @@ + return (PyObject *)op; + } + ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { ++ PyErr_SetString(PyExc_OverflowError, "string is too large"); ++ return NULL; ++ } ++ + /* Inline PyObject_NewVar */ + op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size); + if (op == NULL) +@@ -106,7 +111,7 @@ + + assert(str != NULL); + size = strlen(str); +- if (size > PY_SSIZE_T_MAX) { ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { + PyErr_SetString(PyExc_OverflowError, + "string is too long for a Python string"); + return NULL; +@@ -967,14 +972,24 @@ + Py_INCREF(a); + return (PyObject *)a; + } ++ /* Check that string sizes are not negative, to prevent an ++ overflow in cases where we are passed incorrectly-created ++ strings with negative lengths (due to a bug in other code). ++ */ + size = a->ob_size + b->ob_size; +- if (size < 0) { ++ if (a->ob_size < 0 || b->ob_size < 0 || ++ a->ob_size > PY_SSIZE_T_MAX - b->ob_size) { + PyErr_SetString(PyExc_OverflowError, + "strings are too large to concat"); + return NULL; + } + + /* Inline PyObject_NewVar */ ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { ++ PyErr_SetString(PyExc_OverflowError, ++ "strings are too large to concat"); ++ return NULL; ++ } + op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size); + if (op == NULL) + return PyErr_NoMemory(); |