freebsd/ports
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ports/lang/python25/files/patch-objects_obmalloc.c
Martin Wilke 8a1ff65b9b - Security fixes 
Multiple vulnerabilities:

	1) Various integer overflow errors exist in core modules e.g. stringobject,
	   unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule.
	2) An integer overflow in the hashlib module can lead to an unreliable cryptographic digest results.
	3) Integer overflow errors in the processing of unicode strings can be exploited to cause
	   buffer overflows on 32-bit systems.
	4) An integer overflow exists in the PyOS_vsnprintf() function on architectures that do not
	   have a "vsnprintf()" function.
	5) An integer underflow error in the PyOS_vsnprintf() function when passing zero-length strings
	   can lead to memory corruption.

PR:		127172 (based on)
Submitted by:	bf <bf2006a@yahoo.com>
Obtained from:	python svn
Security:	CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3144, CVE-2008-3143. (vuxml come later)
2008-09-08 00:14:06 +00:00

35 lines
1.1 KiB
C
Raw Blame History

--- Objects/obmalloc.c.orig 2008-02-14 11:26:18.000000000 +0000
+++ Objects/obmalloc.c 2008-08-30 10:39:43.000000000 +0100
@@ -727,6 +727,15 @@
uint size;
/*
+ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > PY_SSIZE_T_MAX)
+ return NULL;
+
+ /*
* This implicitly redirects malloc(0).
*/
if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
@@ -1130,6 +1139,15 @@
if (p == NULL)
return PyObject_Malloc(nbytes);
+ /*
+ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > PY_SSIZE_T_MAX)
+ return NULL;
+
pool = POOL_ADDR(p);
if (Py_ADDRESS_IN_RANGE(p, pool)) {
/* We're in charge of this block */
Reference in New Issue View Git Blame Copy Permalink