[Python-checkins] r65333 - in python/branches/release24-maint: Misc/NEWS Modules/gcmodule.c Modules/mmapmodule.c Modules/stropmodule.c Objects/bufferobject.c Objects/stringobject.c Objects/tupleobject.c Objects/unicodeobject.c

neal.norwitz python-checkins at python.org
Thu Jul 31 19:04:33 CEST 2008 

Author: neal.norwitz
Date: Thu Jul 31 19:04:32 2008
New Revision: 65333
Log:
Security patches from Apple: prevent int overflow when allocating memory
Modified:
 python/branches/release24-maint/Misc/NEWS
 python/branches/release24-maint/Modules/gcmodule.c
 python/branches/release24-maint/Modules/mmapmodule.c
 python/branches/release24-maint/Modules/stropmodule.c
 python/branches/release24-maint/Objects/bufferobject.c
 python/branches/release24-maint/Objects/stringobject.c
 python/branches/release24-maint/Objects/tupleobject.c
 python/branches/release24-maint/Objects/unicodeobject.c
Modified: python/branches/release24-maint/Misc/NEWS
==============================================================================
--- python/branches/release24-maint/Misc/NEWS	(original)
+++ python/branches/release24-maint/Misc/NEWS	Thu Jul 31 19:04:32 2008
@@ -18,6 +18,8 @@
 Core and builtins
 -----------------
 
+- Apply security patches from Apple.
+
 - Issue #2620: Overflow checking when allocating or reallocating memory
 was not always being done properly in some python types and extension
 modules. PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
Modified: python/branches/release24-maint/Modules/gcmodule.c
==============================================================================
--- python/branches/release24-maint/Modules/gcmodule.c	(original)
+++ python/branches/release24-maint/Modules/gcmodule.c	Thu Jul 31 19:04:32 2008
@@ -1249,7 +1249,10 @@
 _PyObject_GC_Malloc(size_t basicsize)
 {
 	PyObject *op;
-	PyGC_Head *g = PyObject_MALLOC(sizeof(PyGC_Head) + basicsize);
+	PyGC_Head *g;
+ 	if (basicsize > INT_MAX - sizeof(PyGC_Head))
+ 		return PyErr_NoMemory();
+	g = PyObject_MALLOC(sizeof(PyGC_Head) + basicsize);
 	if (g == NULL)
 		return PyErr_NoMemory();
 	g->gc.gc_refs = GC_UNTRACKED;
@@ -1291,6 +1294,8 @@
 {
 	const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems);
 	PyGC_Head *g = AS_GC(op);
+ 	if (basicsize > INT_MAX - sizeof(PyGC_Head))
+ 		return (PyVarObject *)PyErr_NoMemory();
 	g = PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize);
 	if (g == NULL)
 		return (PyVarObject *)PyErr_NoMemory();
Modified: python/branches/release24-maint/Modules/mmapmodule.c
==============================================================================
--- python/branches/release24-maint/Modules/mmapmodule.c	(original)
+++ python/branches/release24-maint/Modules/mmapmodule.c	Thu Jul 31 19:04:32 2008
@@ -223,7 +223,7 @@
 		return(NULL);
 
 	/* silently 'adjust' out-of-range requests */
-	if ((self->pos + num_bytes) > self->size) {
+	if (num_bytes > self->size - self->pos) {
 		num_bytes -= (self->pos+num_bytes) - self->size;
 	}
 	result = Py_BuildValue("s#", self->data+self->pos, num_bytes);
Modified: python/branches/release24-maint/Modules/stropmodule.c
==============================================================================
--- python/branches/release24-maint/Modules/stropmodule.c	(original)
+++ python/branches/release24-maint/Modules/stropmodule.c	Thu Jul 31 19:04:32 2008
@@ -214,6 +214,13 @@
 				return NULL;
 			}
 			slen = PyString_GET_SIZE(item);
+			if (slen > INT_MAX - reslen ||
+			 seplen > INT_MAX - reslen - seplen) {
+				PyErr_SetString(PyExc_OverflowError,
+						"input too long");
+				Py_DECREF(res);
+				return NULL;
+			}
 			while (reslen + slen + seplen >= sz) {
 				if (_PyString_Resize(&res, sz * 2) < 0)
 					return NULL;
@@ -251,6 +258,14 @@
 			return NULL;
 		}
 		slen = PyString_GET_SIZE(item);
+		if (slen > INT_MAX - reslen ||
+		 seplen > INT_MAX - reslen - seplen) {
+			PyErr_SetString(PyExc_OverflowError,
+					"input too long");
+			Py_DECREF(res);
+			Py_XDECREF(item);
+			return NULL;
+		}
 		while (reslen + slen + seplen >= sz) {
 			if (_PyString_Resize(&res, sz * 2) < 0) {
 				Py_DECREF(item);
Modified: python/branches/release24-maint/Objects/bufferobject.c
==============================================================================
--- python/branches/release24-maint/Objects/bufferobject.c	(original)
+++ python/branches/release24-maint/Objects/bufferobject.c	Thu Jul 31 19:04:32 2008
@@ -384,6 +384,10 @@
 		count = 0;
 	if (!get_buf(self, &ptr, &size))
 		return NULL;
+	if (count > INT_MAX / size) {
+		PyErr_SetString(PyExc_MemoryError, "result too large");
+		return NULL;
+	}
 	ob = PyString_FromStringAndSize(NULL, size * count);
 	if ( ob == NULL )
 		return NULL;
Modified: python/branches/release24-maint/Objects/stringobject.c
==============================================================================
--- python/branches/release24-maint/Objects/stringobject.c	(original)
+++ python/branches/release24-maint/Objects/stringobject.c	Thu Jul 31 19:04:32 2008
@@ -69,6 +69,11 @@
 		return (PyObject *)op;
 	}
 
+	if (size > INT_MAX - sizeof(PyStringObject)) {
+		PyErr_SetString(PyExc_OverflowError, "string is too large");
+		return NULL;
+	}
+
 	/* Inline PyObject_NewVar */
 	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
 	if (op == NULL)
@@ -104,7 +109,7 @@
 
 	assert(str != NULL);
 	size = strlen(str);
-	if (size > INT_MAX) {
+	if (size > INT_MAX - sizeof(PyStringObject)) {
 		PyErr_SetString(PyExc_OverflowError,
 			"string is too long for a Python string");
 		return NULL;
@@ -907,7 +912,18 @@
 		Py_INCREF(a);
 		return (PyObject *)a;
 	}
+	/* Check that string sizes are not negative, to prevent an
+	 overflow in cases where we are passed incorrectly-created
+	 strings with negative lengths (due to a bug in other code).
+	*/
 	size = a->ob_size + b->ob_size;
+	if (a->ob_size < 0 || b->ob_size < 0 ||
+	 a->ob_size > INT_MAX - b->ob_size) {
+		PyErr_SetString(PyExc_OverflowError,
+				"strings are too large to concat");
+		return NULL;
+	}
+
 	/* Inline PyObject_NewVar */
 	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
 	if (op == NULL)
Modified: python/branches/release24-maint/Objects/tupleobject.c
==============================================================================
--- python/branches/release24-maint/Objects/tupleobject.c	(original)
+++ python/branches/release24-maint/Objects/tupleobject.c	Thu Jul 31 19:04:32 2008
@@ -60,11 +60,12 @@
 		int nbytes = size * sizeof(PyObject *);
 		/* Check for overflow */
 		if (nbytes / sizeof(PyObject *) != (size_t)size ||
-		 (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
-		 <= 0)
+		 (nbytes > INT_MAX - sizeof(PyTupleObject) - sizeof(PyObject *)))
 		{
 			return PyErr_NoMemory();
 		}
+		nbytes += sizeof(PyTupleObject) - sizeof(PyObject *);
+
 		op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
 		if (op == NULL)
 			return NULL;
Modified: python/branches/release24-maint/Objects/unicodeobject.c
==============================================================================
--- python/branches/release24-maint/Objects/unicodeobject.c	(original)
+++ python/branches/release24-maint/Objects/unicodeobject.c	Thu Jul 31 19:04:32 2008
@@ -186,6 +186,11 @@
 return unicode_empty;
 }
 
+ /* Ensure we won't overflow the size. */
+ if (length > ((INT_MAX / sizeof(Py_UNICODE)) - 1)) {
+ return (PyUnicodeObject *)PyErr_NoMemory();
+ }
+
 /* Unicode freelist & memory allocation */
 if (unicode_freelist) {
 unicode = unicode_freelist;
@@ -1040,6 +1045,9 @@
 char * out;
 char * start;
 
+ if (cbAllocated / 5 != size)
+ return PyErr_NoMemory();
+
 if (size == 0)
 		return PyString_FromStringAndSize(NULL, 0);
 
@@ -1638,6 +1646,7 @@
 {
 PyObject *v;
 unsigned char *p;
+ int nsize, bytesize;
 #ifdef Py_UNICODE_WIDE
 int i, pairs;
 #else
@@ -1662,8 +1671,15 @@
 	if (s[i] >= 0x10000)
 	 pairs++;
 #endif
- v = PyString_FromStringAndSize(NULL,
-		 2 * (size + pairs + (byteorder == 0)));
+ /* 2 * (size + pairs + (byteorder == 0)) */
+ if (size > INT_MAX ||
+	size > INT_MAX - pairs - (byteorder == 0))
+	return PyErr_NoMemory();
+ nsize = (size + pairs + (byteorder == 0));
+ bytesize = nsize * 2;
+ if (bytesize / 2 != nsize)
+	return PyErr_NoMemory();
+ v = PyString_FromStringAndSize(NULL, bytesize);
 if (v == NULL)
 return NULL;
 
@@ -1977,6 +1993,11 @@
 char *p;
 
 static const char *hexdigit = "0123456789abcdef";
+#ifdef Py_UNICODE_WIDE
+ const int expandsize = 10;
+#else
+ const int expandsize = 6;
+#endif
 
 /* Initial allocation is based on the longest-possible unichr
 escape.
@@ -1992,13 +2013,12 @@
 escape.
 */
 
+ if (size > (INT_MAX - 2 - 1) / expandsize)
+	return PyErr_NoMemory();
+
 repr = PyString_FromStringAndSize(NULL,
 2
-#ifdef Py_UNICODE_WIDE
- + 10*size
-#else
- + 6*size
-#endif
+ + expandsize*size
 + 1);
 if (repr == NULL)
 return NULL;
@@ -2239,12 +2259,16 @@
 char *q;
 
 static const char *hexdigit = "0123456789abcdef";
-
 #ifdef Py_UNICODE_WIDE
- repr = PyString_FromStringAndSize(NULL, 10 * size);
+ const int expandsize = 10;
 #else
- repr = PyString_FromStringAndSize(NULL, 6 * size);
+ const int expandsize = 6;
 #endif
+ 
+ if (size > INT_MAX / expandsize)
+	return PyErr_NoMemory();
+ 
+ repr = PyString_FromStringAndSize(NULL, expandsize * size);
 if (repr == NULL)
 return NULL;
 if (size == 0)
@@ -4289,6 +4313,11 @@
 return self;
 }
 
+ if (left > INT_MAX - self->length ||
+	right > INT_MAX - (left + self->length)) {
+ PyErr_SetString(PyExc_OverflowError, "padded string is too long");
+ return NULL;
+ }
 u = _PyUnicode_New(left + self->length + right);
 if (u) {
 if (left)

More information about the Python-checkins mailing list

AltStyle によって変換されたページ (->オリジナル) /