45 lines
1.4 KiB
Diff
Executable File
45 lines
1.4 KiB
Diff
Executable File
|
|
# HG changeset patch
|
|
# User Benjamin Peterson <benjamin@python.org>
|
|
# Date 1453357424 28800
|
|
# Node ID 985fc64c60d6adffd1138b6cc46df388ca91ca5d
|
|
# Parent 7ec954b9fc54448a35b56d271340ba109eb381b9
|
|
prevent buffer overflow in get_data (closes #26171)
|
|
|
|
Upstream-Status: Backport
|
|
https://hg.python.org/cpython/rev/985fc64c60d6
|
|
|
|
CVE: CVE-2016-5636
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
|
|
Index: Python-2.7.11/Misc/NEWS
|
|
===================================================================
|
|
--- Python-2.7.11.orig/Misc/NEWS
|
|
+++ Python-2.7.11/Misc/NEWS
|
|
@@ -7,6 +7,9 @@ What's New in Python 2.7.11?
|
|
|
|
*Release date: 2015-12-05*
|
|
|
|
+- Issue #26171: Fix possible integer overflow and heap corruption in
|
|
+ zipimporter.get_data().
|
|
+
|
|
Library
|
|
-------
|
|
|
|
Index: Python-2.7.11/Modules/zipimport.c
|
|
===================================================================
|
|
--- Python-2.7.11.orig/Modules/zipimport.c
|
|
+++ Python-2.7.11/Modules/zipimport.c
|
|
@@ -895,6 +895,11 @@ get_data(char *archive, PyObject *toc_en
|
|
PyMarshal_ReadShortFromFile(fp); /* local header size */
|
|
file_offset += l; /* Start of file data */
|
|
|
|
+ if (data_size > LONG_MAX - 1) {
|
|
+ fclose(fp);
|
|
+ PyErr_NoMemory();
|
|
+ return NULL;
|
|
+ }
|
|
raw_data = PyString_FromStringAndSize((char *)NULL, compress == 0 ?
|
|
data_size : data_size + 1);
|
|
if (raw_data == NULL) {
|