Message258779
in zipimport.c
1116 bytes_size = compress == 0 ? data_size : data_size + 1;
1117 if (bytes_size == 0)
1118 bytes_size++;
1119 raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);
If compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap. |
|
Date |
User |
Action |
Args |
2016-01-21 23:40:14 | Insu Yun | set | recipients:
+ Insu Yun, python-dev |
2016-01-21 23:40:14 | Insu Yun | set | messageid: <1453419614.27.0.67236780112.issue26171@psf.upfronthosting.co.za> |
2016-01-21 23:40:14 | Insu Yun | link | issue26171 messages |
2016-01-21 23:40:14 | Insu Yun | create | |
|