Message 258779 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Insu Yun
Recipients	Insu Yun, python-dev
Date	2016-01-21.23:40:14
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1453419614.27.0.67236780112.issue26171@psf.upfronthosting.co.za>
In-reply-to

Content
in zipimport.c 1116 bytes_size = compress == 0 ? data_size : data_size + 1; 1117 if (bytes_size == 0) 1118 bytes_size++; 1119 raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size); If compress != 0, then bytes_size = data_size + 1 data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0. In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap.

in zipimport.c
  1116     bytes_size = compress == 0 ? data_size : data_size + 1;
  1117     if (bytes_size == 0)
  1118         bytes_size++;
  1119     raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);

If compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap.

History
Date	User	Action	Args
2016-01-21 23:40:14	Insu Yun	set	recipients: + Insu Yun, python-dev
2016-01-21 23:40:14	Insu Yun	set	messageid: <1453419614.27.0.67236780112.issue26171@psf.upfronthosting.co.za>
2016-01-21 23:40:14	Insu Yun	link	issue26171 messages
2016-01-21 23:40:14	Insu Yun	create