Commits

Anonymous committed 200c8aa

- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
parameter but was not verifying that it was greater than zero. Values
less than zero will now raise a SystemError and return NULL to indicate a
bug in the calling C code. CVE-2008-1887.

backport r62261, r62271

  • Participants
  • Parent commits 9781eef
  • Branches 2.4

Comments (0)

Files changed (2)

 - Issues #2588, #2589: Fix potential integer underflow and overflow
   conditions in the PyOS_vsnprintf C API function. CVE-2008-3144.
 
+- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
+  parameter but was not verifying that it was greater than zero.  Values
+  less than zero will now raise a SystemError and return NULL to indicate a
+  bug in the calling C code. CVE-2008-1887.
+
 Extension Modules
 -----------------
 

File Objects/stringobject.c

 PyString_FromStringAndSize(const char *str, int size)
 {
 	register PyStringObject *op;
+
+	if (size < 0) {
+		PyErr_SetString(PyExc_SystemError,
+		    "Negative size passed to PyString_FromStringAndSize");
+		return NULL;
+	}
+
 	if (size == 0 && (op = nullstring) != NULL) {
 #ifdef COUNT_ALLOCS
 		null_strings++;