1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
From 104eb318283dde5203aa6cf7384287bef181e308 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Wed, 12 Nov 2014 01:58:02 -0500
Subject: [PATCH] python: fix CVE-2014-7185
Reference: http://bugs.python.org/issue21831
CVE-2014-7185: Integer overflow in bufferobject.c in Python before
2.7.8 allows context-dependent attackers to obtain sensitive
information from process memory via a large size and offset in a
"buffer" function.
Upstream-Status: Backport
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
Lib/test/test_buffer.py | 6 ++++++
Misc/NEWS | 3 +++
Objects/bufferobject.c | 2 +-
3 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/Lib/test/test_buffer.py b/Lib/test/test_buffer.py
index 6bdc34d..3ac1f8c 100644
--- a/Lib/test/test_buffer.py
+++ b/Lib/test/test_buffer.py
@@ -4,6 +4,7 @@ For now, tests just new or changed functionality.
"""
+import sys
import unittest
from test import test_support
@@ -21,6 +22,11 @@ class BufferTests(unittest.TestCase):
self.assertEqual(b[start:stop:step],
s[start:stop:step])
+ def test_large_buffer_size_and_offset(self):
+ data = bytearray('hola mundo')
+ buf = buffer(data, sys.maxsize, sys.maxsize)
+ self.assertEqual(buf[:4096], "")
+
def test_main():
with test_support.check_py3k_warnings(("buffer.. not supported",
diff --git a/Misc/NEWS b/Misc/NEWS
index e8778ad..77396c5 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -1896,6 +1896,9 @@ What's New in Python 2.7 Release Candidate 1?
Core and Builtins
-----------------
+- Issue #21831: Avoid integer overflow when large sizes and offsets are given to
+ the buffer type. CVE-2014-7185.
+
- Issue #8271: during the decoding of an invalid UTF-8 byte sequence, only the
start byte and the continuation byte(s) are now considered invalid, instead
of the number of bytes specified by the start byte.
diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c
index c52f0bc..c542506 100644
--- a/Objects/bufferobject.c
+++ b/Objects/bufferobject.c
@@ -88,7 +88,7 @@ get_buf(PyBufferObject *self, void **ptr, Py_ssize_t *size,
*size = count;
else
*size = self->b_size;
- if (offset + *size > count)
+ if (*size > count - offset)
*size = count - offset;
}
return 1;
--
1.7.9.5
|
