Message258733
in zipimport.c
1116 bytes_size = compress == 0 ? data_size : data_size + 1;
1117 if (bytes_size == 0)
1118 bytes_size++;
1119 raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);
If compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap. |
|
Date |
User |
Action |
Args |
2016-01-21 03:52:33 | Insu Yun | set | recipients:
+ Insu Yun |
2016-01-21 03:52:33 | Insu Yun | set | messageid: <1453348353.03.0.314168195173.issue26171@psf.upfronthosting.co.za> |
2016-01-21 03:52:32 | Insu Yun | link | issue26171 messages |
2016-01-21 03:52:32 | Insu Yun | create | |
|