Skip to content

Commit 4ac2528

Browse files
hroncokjaybosamiya
andcommitted
Fixes possible integer overflow in PyBytes_DecodeEscape. Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>
1 parent dcb101e commit 4ac2528

3 files changed

Lines changed: 11 additions & 1 deletion

File tree

Misc/ACKS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,7 @@ Médéric Boquien
167167
Matias Bordese
168168
Jonas Borgström
169169
Jurjen Bos
170+
Jay Bosamiya
170171
Peter Bosch
171172
Dan Boswell
172173
Eric Bouck
@@ -651,6 +652,7 @@ Ken Howard
651652
Brad Howes
652653
Mike Hoy
653654
Ben Hoyt
655+
Miro Hrončok
654656
Chiu-Hsiang Hsu
655657
Chih-Hao Huang
656658
Christian Hudon
Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158.
2+
Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok.

Objects/bytesobject.c

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -970,7 +970,13 @@ PyObject *PyBytes_DecodeEscape(const char *s,
970970
char *p, *buf;
971971
const char *end;
972972
PyObject *v;
973-
Py_ssize_t newlen = recode_encoding ? 4*len:len;
973+
Py_ssize_t newlen;
974+
/* Check for integer overflow */
975+
if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
976+
PyErr_SetString(PyExc_OverflowError, "string is too large");
977+
return NULL;
978+
}
979+
newlen = recode_encoding ? 4*len:len;
974980
v = PyBytes_FromStringAndSize((char *)NULL, newlen);
975981
if (v == NULL)
976982
return NULL;

0 commit comments

Comments
 (0)