Author Insu Yun
Recipients Insu Yun, python-dev
Date 2016-01-21.23:40:14
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1453419614.27.0.67236780112.issue26171@psf.upfronthosting.co.za>
In-reply-to
Content
in zipimport.c
  1116     bytes_size = compress == 0 ? data_size : data_size + 1;
  1117     if (bytes_size == 0)
  1118         bytes_size++;
  1119     raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);

If compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap.
History
Date User Action Args
2016-01-21 23:40:14Insu Yunsetrecipients: + Insu Yun, python-dev
2016-01-21 23:40:14Insu Yunsetmessageid: <1453419614.27.0.67236780112.issue26171@psf.upfronthosting.co.za>
2016-01-21 23:40:14Insu Yunlinkissue26171 messages
2016-01-21 23:40:14Insu Yuncreate