From 382ff63aa17856475bb81dbf24df3ac36c60c4e3 Mon Sep 17 00:00:00 2001 From: Alexey Izbyshev Date: Sun, 28 Oct 2018 15:06:36 +0300 Subject: [PATCH 1/7] bpo-35090: bz2: Fix potential division by zero in BZ2_Malloc() Reported by Svace static analyzer. --- Modules/_bz2module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c index 3890b60b1b87b31..9b12acca9113333 100644 --- a/Modules/_bz2module.c +++ b/Modules/_bz2module.c @@ -277,7 +277,7 @@ BZ2_Malloc(void* ctx, int items, int size) { if (items < 0 || size < 0) return NULL; - if ((size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size) + if (size != 0 && (size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size) return NULL; /* PyMem_Malloc() cannot be used: compress() and decompress() release the GIL */ From e32429642ee57c48472c6348b151d3393519334d Mon Sep 17 00:00:00 2001 From: Alexey Izbyshev Date: Sun, 28 Oct 2018 17:25:42 +0300 Subject: [PATCH 2/7] Add NEWS entry --- .../next/Library/2018-10-28-17-25-24.bpo-35090.oMjlmF.rst | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 Misc/NEWS.d/next/Library/2018-10-28-17-25-24.bpo-35090.oMjlmF.rst diff --git a/Misc/NEWS.d/next/Library/2018-10-28-17-25-24.bpo-35090.oMjlmF.rst b/Misc/NEWS.d/next/Library/2018-10-28-17-25-24.bpo-35090.oMjlmF.rst new file mode 100644 index 000000000000000..d5918174c19ffd5 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2018-10-28-17-25-24.bpo-35090.oMjlmF.rst @@ -0,0 +1,2 @@ +:mod:`bz2`: Avoid division by zero in ``BZ2_Malloc()`` in case if +``size == 0``. From 51ee58ece8f7b0e977f28fdff93f93aa5ea9206b Mon Sep 17 00:00:00 2001 From: Alexey Izbyshev Date: Sun, 28 Oct 2018 18:09:45 +0300 Subject: [PATCH 3/7] Revert "Add NEWS entry" This reverts commit e32429642ee57c48472c6348b151d3393519334d. --- .../next/Library/2018-10-28-17-25-24.bpo-35090.oMjlmF.rst | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 Misc/NEWS.d/next/Library/2018-10-28-17-25-24.bpo-35090.oMjlmF.rst diff --git a/Misc/NEWS.d/next/Library/2018-10-28-17-25-24.bpo-35090.oMjlmF.rst b/Misc/NEWS.d/next/Library/2018-10-28-17-25-24.bpo-35090.oMjlmF.rst deleted file mode 100644 index d5918174c19ffd5..000000000000000 --- a/Misc/NEWS.d/next/Library/2018-10-28-17-25-24.bpo-35090.oMjlmF.rst +++ /dev/null @@ -1,2 +0,0 @@ -:mod:`bz2`: Avoid division by zero in ``BZ2_Malloc()`` in case if -``size == 0``. From fe6b110919d72daf6a64e4d66d631504c72db378 Mon Sep 17 00:00:00 2001 From: Alexey Izbyshev Date: Sun, 28 Oct 2018 18:18:00 +0300 Subject: [PATCH 4/7] Fix potential integer overflow --- Modules/_bz2module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c index 9b12acca9113333..4a1c7bda16ad3c5 100644 --- a/Modules/_bz2module.c +++ b/Modules/_bz2module.c @@ -281,7 +281,7 @@ BZ2_Malloc(void* ctx, int items, int size) return NULL; /* PyMem_Malloc() cannot be used: compress() and decompress() release the GIL */ - return PyMem_RawMalloc(items * size); + return PyMem_RawMalloc((Py_ssize_t)items * (Py_ssize_t)size); } static void From cb077ff9b5991df926325bbcda6a09206b0e7021 Mon Sep 17 00:00:00 2001 From: Alexey Izbyshev Date: Sun, 28 Oct 2018 18:33:00 +0300 Subject: [PATCH 5/7] Explicitly use size_t as expected by PyRaw_Malloc --- Modules/_bz2module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c index 4a1c7bda16ad3c5..f0d9588fe55d6f9 100644 --- a/Modules/_bz2module.c +++ b/Modules/_bz2module.c @@ -281,7 +281,7 @@ BZ2_Malloc(void* ctx, int items, int size) return NULL; /* PyMem_Malloc() cannot be used: compress() and decompress() release the GIL */ - return PyMem_RawMalloc((Py_ssize_t)items * (Py_ssize_t)size); + return PyMem_RawMalloc((size_t)items * (size_t)size); } static void From 439425ff62618ba300ceb48e2214ecb41fbdebee Mon Sep 17 00:00:00 2001 From: Alexey Izbyshev Date: Sun, 28 Oct 2018 19:17:28 +0300 Subject: [PATCH 6/7] Avoid division by zero in PyLzma_Malloc() --- Modules/_lzmamodule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c index 7b501d8202d8b99..bb7a7ec50ce059b 100644 --- a/Modules/_lzmamodule.c +++ b/Modules/_lzmamodule.c @@ -108,7 +108,7 @@ catch_lzma_error(lzma_ret lzret) static void* PyLzma_Malloc(void *opaque, size_t items, size_t size) { - if (items > (size_t)PY_SSIZE_T_MAX / size) + if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size) return NULL; /* PyMem_Malloc() cannot be used: the GIL is not held when lzma_code() is called */ From 0d5b3858d75100909a7d5513cc4d0ed0257bbe08 Mon Sep 17 00:00:00 2001 From: Alexey Izbyshev Date: Sun, 28 Oct 2018 19:18:05 +0300 Subject: [PATCH 7/7] Avoid division by zero and integer overflow in PyZlib_Malloc() --- Modules/zlibmodule.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c index 36a3835e421fbb7..00bbe21fc0bd827 100644 --- a/Modules/zlibmodule.c +++ b/Modules/zlibmodule.c @@ -117,11 +117,11 @@ newcompobject(PyTypeObject *type) static void* PyZlib_Malloc(voidpf ctx, uInt items, uInt size) { - if (items > (size_t)PY_SSIZE_T_MAX / size) + if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size) return NULL; /* PyMem_Malloc() cannot be used: the GIL is not held when inflate() and deflate() are called */ - return PyMem_RawMalloc(items * size); + return PyMem_RawMalloc((size_t)items * (size_t)size); } static void