Author Insu Yun
Recipients Insu Yun
Date 2016-01-21.03:52:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1453348353.03.0.314168195173.issue26171@psf.upfronthosting.co.za>
In-reply-to
Content
in zipimport.c
  1116     bytes_size = compress == 0 ? data_size : data_size + 1;
  1117     if (bytes_size == 0)
  1118         bytes_size++;
  1119     raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);

If compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap.
History
Date User Action Args
2016-01-21 03:52:33Insu Yunsetrecipients: + Insu Yun
2016-01-21 03:52:33Insu Yunsetmessageid: <1453348353.03.0.314168195173.issue26171@psf.upfronthosting.co.za>
2016-01-21 03:52:32Insu Yunlinkissue26171 messages
2016-01-21 03:52:32Insu Yuncreate