Author Parvesh jain
Recipients Insu Yun, Parvesh jain, berker.peksag, georg.brandl, ned.deily, python-dev, vladk
Date 2016-10-07.03:57:42
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1475812663.87.0.682366979286.issue26171@psf.upfronthosting.co.za>
In-reply-to
Content
I think patches put up in http://bugs.python.org/msg258736 is at least not sufficient enough for Python 2.7. 
POC script(crash.py) provided with the issue calls get_data with data_size = -1.
I am using Python 2.7.8 . I patched the same with the solution provided in https://hg.python.org/cpython/rev/985fc64c60d6 . I was still able to reproduce the issue and it failed with 

Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
IOError: zipimport: can't read data
Segmentation fault (core dumped)


but I couldn't reproduce the same with latest 2.7.12:-

jchang@qasus-ubun12x64-001:~/Downloads/Python-2.7.12$ python2.7 -V
Python 2.7.12
jchang@qasus-ubun12x64-001:~/Downloads/Python-2.7.12$ python2.7 crash.py
Traceback (most recent call last):
  File "crash.py", line 25, in <module>
    print(importer.get_data(FILE))
zipimport.ZipImportError: negative data size

As we can see issue does happen in 2.7.12 because of following extra check :-

if (data_size < 0) {
        PyErr_Format(ZipImportError, "negative data size");
        return NULL;
    }

which was merged in https://hg.python.org/cpython/rev/2edbdb79cd6d. 

I was thinking of backporting the same to Python 2.7.8 as well to completely address this issue. Could you guys confirm if my understanding is correct on this ? Thanks
History
Date User Action Args
2016-10-07 03:57:44Parvesh jainsetrecipients: + Parvesh jain, georg.brandl, ned.deily, python-dev, berker.peksag, Insu Yun, vladk
2016-10-07 03:57:43Parvesh jainsetmessageid: <1475812663.87.0.682366979286.issue26171@psf.upfronthosting.co.za>
2016-10-07 03:57:43Parvesh jainlinkissue26171 messages
2016-10-07 03:57:42Parvesh jaincreate