> On 2008/08/04 16:32, Valery Masiutsin wrote: > > Hello. > > > > What about issues in #2588, #2599, #2620 ? > > Oh... Are python users supposed to tramp through the tickets just > to identify the security problems? > > It would be nice if there was somewhere official to find these. > Like http://www.python.org/news/security/, but actually maintained. > > > As far as i see from reading svn log of release25-maint, there are > > also so called > > "apple security fixes" and commit related to openbsd fcntl > > handling. I've cherrypicked those patches, built python, it passes > > make regress, and works fine for me, > > is there any point to send the diff, at this point of time ? > > It might not go into the release, it's pretty late for that now, > but you may as well send it along rather than just hold onto it. > Ok, here it is. I think it could suite as a starting point for post-release activity.
#2588, #2589 - PyOS_vsnprintf() issues, i think they are unrelated to us, false alarm, so i skipped them. URL= http://svn.python.org/projects/python/branches/release25-maint 1. #2620 - Multiple buffer overflows in unicode processing. svn diff -r65234:65261 $URL 2. apple security patches svn diff -r65261:65334 $URL 3. OpenBSD fcntl.ioctl handling on 64-bit OpenBSD. svn diff -r65461:65466 $URL I removed the bits applied to Misc/News file, i did not apply fixes mentioned earlier, i am ready to do this, if it needs so. Tested on amd64. Regards Valery. Index: patches/patch-Include_pymem_h =================================================================== RCS file: patches/patch-Include_pymem_h diff -N patches/patch-Include_pymem_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Include_pymem_h 4 Aug 2008 15:17:15 -0000 @@ -0,0 +1,59 @@ +$OpenBSD$ +--- Include/pymem.h.orig Thu Feb 14 13:26:18 2008 ++++ Include/pymem.h Mon Aug 4 21:12:55 2008 +@@ -67,8 +67,12 @@ PyAPI_FUNC(void) PyMem_Free(void *); + for malloc(0), which would be treated as an error. Some platforms + would return a pointer with no memory behind it, which would break + pymalloc. To solve these problems, allocate an extra byte. */ +-#define PyMem_MALLOC(n) malloc((n) ? (n) : 1) +-#define PyMem_REALLOC(p, n) realloc((p), (n) ? (n) : 1) ++/* Returns NULL to indicate error if a negative size or size larger than ++ Py_ssize_t can represent is supplied. Helps prevents security holes. */ ++#define PyMem_MALLOC(n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \ ++ : malloc((n) ? (n) : 1)) ++#define PyMem_REALLOC(p, n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \ ++ : > realloc((p), (n) ? (n) : 1)) + #define PyMem_FREE free + + #endif /* PYMALLOC_DEBUG */ +@@ -77,24 +81,31 @@ PyAPI_FUNC(void) PyMem_Free(void *); + * Type-oriented memory interface + * ============================== + * +- * These are carried along for historical reasons. There's rarely a good +- * reason to use them anymore (you can just as easily do the multiply and +- * cast yourself). ++ * Allocate memory for n objects of the given type. Returns a new pointer ++ * or NULL if the request was too large or memory allocation failed. Use ++ * these macros rather than doing the multiplication yourself so that proper ++ * overflow checking is always done. + */ + + #define PyMem_New(type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ ++ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ + ( (type *) PyMem_Malloc((n) * sizeof(type)) ) ) + #define PyMem_NEW(type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ ++ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ + ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) ) + ++/* ++ * The value of (p) is always clobbered by this macro regardless of success. ++ * The caller MUST check if (p) is NULL afterwards and deal with the memory ++ * error if so. This means the original value of (p) MUST be saved for the ++ * caller's memory error handler to not lose track of it. ++ */ + #define PyMem_Resize(p, type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ +- ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) ) ++ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ ++ (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) + #define PyMem_RESIZE(p, type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ +- ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) ) ++ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ ++ (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) + + /* PyMem{Del,DEL} are left over from ancient days, and shouldn't be used + * anymore. They're just confusing aliases for PyMem_{Free,FREE} now. Index: patches/patch-Lib_test_seq_tests_py =================================================================== RCS file: patches/patch-Lib_test_seq_tests_py diff -N patches/patch-Lib_test_seq_tests_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_seq_tests_py 4 Aug 2008 15:17:15 -0000 @@ -0,0 +1,22 @@ +$OpenBSD$ +--- Lib/test/seq_tests.py.orig Mon Nov 12 22:04:41 2007 ++++ Lib/test/seq_tests.py Mon Aug 4 21:13:01 2008 +@@ -307,11 +307,13 @@ class CommonTest(unittest.TestCase): + self.assertEqual(id(s), id(s*1)) + + def test_bigrepeat(self): +- x = self.type2test([0]) +- x *= 2**16 +- self.assertRaises(MemoryError, x.__mul__, 2**16) +- if hasattr(x, '__imul__'): +- self.assertRaises(MemoryError, x.__imul__, 2**16) ++ import sys ++ if sys.maxint <= 2147483647: ++ x = self.type2test([0]) ++ x *= 2**16 ++ self.assertRaises(MemoryError, x.__mul__, 2**16) ++ if hasattr(x, '__imul__'): ++ self.assertRaises(MemoryError, x.__imul__, 2**16) + + def test_subscript(self): + a = self.type2test([10, 11]) Index: patches/patch-Lib_test_test_bigmem_py =================================================================== RCS file: patches/patch-Lib_test_test_bigmem_py diff -N patches/patch-Lib_test_test_bigmem_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_test_bigmem_py 4 Aug 2008 15:17:15 -0000 @@ -0,0 +1,154 @@ +$OpenBSD$ +--- Lib/test/test_bigmem.py.orig Fri Nov 30 23:53:17 2007 ++++ Lib/test/test_bigmem.py Mon Aug 4 21:13:01 2008 +@@ -1,5 +1,5 @@ + from test import test_support +-from test.test_support import bigmemtest, _1G, _2G ++from test.test_support import bigmemtest, _1G, _2G, _4G, precisionbigmemtest + + import unittest + import operator +@@ -54,6 +54,22 @@ class StrTest(unittest.TestCase): + self.assertEquals(s[lpadsize:-rpadsize], SUBSTR) + self.assertEquals(s.strip(), SUBSTR.strip()) + ++ @precisionbigmemtest(size=_2G - 1, memuse=1) ++ def test_center_unicode(self, size): ++ SUBSTR = u' abc def ghi' ++ try: ++ s = SUBSTR.center(size) ++ except OverflowError: ++ pass # acceptable on 32-bit ++ else: ++ self.assertEquals(len(s), size) ++ lpadsize = rpadsize = (len(s) - len(SUBSTR)) // 2 ++ if len(s) % 2: ++ lpadsize += 1 ++ self.assertEquals(s[lpadsize:-rpadsize], SUBSTR) ++ self.assertEquals(s.strip(), SUBSTR.strip()) ++ del s ++ + @bigmemtest(minsize=_2G, memuse=2) + def test_count(self, size): + SUBSTR = ' abc def ghi' +@@ -70,11 +86,45 @@ class StrTest(unittest.TestCase): + s = '.' * size + self.assertEquals(len(s.decode('utf-8')), size) + ++ def basic_encode_test(self, size, enc, c=u'.', expectedsize=None): ++ if expectedsize is None: ++ expectedsize = size ++ ++ s = c * size ++ self.assertEquals(len(s.encode(enc)), expectedsize) ++ + @bigmemtest(minsize=_2G + 2, memuse=3) + def test_encode(self, size): +- s = u'.' * size +- self.assertEquals(len(s.encode('utf-8')), size) ++ return self.basic_encode_test(size, 'utf-8') + ++ @precisionbigmemtest(size=_4G / 6 + 2, memuse=2) ++ def test_encode_raw_unicode_escape(self, size): ++ try: ++ return self.basic_encode_test(size, 'raw_unicode_escape') ++ except MemoryError: ++ pass # acceptable on 32-bit ++ ++ @precisionbigmemtest(size=_4G / 5 + 70, memuse=3) ++ def test_encode_utf7(self, size): ++ try: ++ return self.basic_encode_test(size, 'utf7') ++ except MemoryError: ++ pass # acceptable on 32-bit ++ ++ @precisionbigmemtest(size=_2G-1, memuse=2) ++ def test_decodeascii(self, size): ++ return self.basic_encode_test(size, 'ascii', c='A') ++ ++ @precisionbigmemtest(size=_4G / 5, memuse=6+2) ++ def test_unicode_repr_oflw(self, size): ++ try: ++ s = u"\uAAAA"*size ++ r = repr(s) ++ except MemoryError: ++ pass # acceptable on 32-bit ++ else: ++ self.failUnless(s == eval(r)) ++ + @bigmemtest(minsize=_2G, memuse=2) + def test_endswith(self, size): + SUBSTR = ' abc def ghi' +@@ -459,6 +509,11 @@ class StrTest(unittest.TestCase): + self.assertEquals(s.count('\\'), size) + self.assertEquals(s.count('0'), size * 2) + ++ @bigmemtest(minsize=2**32 / 5, memuse=6+2) ++ def test_unicode_repr(self, size): ++ s = u"\uAAAA" * size ++ self.failUnless(len(repr(s)) > size) ++ + # This test is meaningful even with size < 2G, as long as the + # doubled string is > 2G (but it tests more if both are > 2G :) + @bigmemtest(minsize=_1G + 2, memuse=3) +@@ -642,6 +697,35 @@ class TupleTest(unittest.TestCase): + def test_repeat_large(self, size): + return self.basic_test_repeat(size) + ++ @bigmemtest(minsize=_1G - 1, memuse=12) ++ def test_repeat_large_2(self, size): ++ return self.basic_test_repeat(size) ++ ++ @precisionbigmemtest(size=_1G - 1, memuse=9) ++ def test_from_2G_generator(self, size): ++ try: ++ t = tuple(xrange(size)) ++ except MemoryError: ++ pass # acceptable on 32-bit ++ else: ++ count = 0 ++ for item in t: ++ self.assertEquals(item, count) ++ count += 1 ++ self.assertEquals(count, size) ++ ++ @precisionbigmemtest(size=_1G - 25, memuse=9) ++ def test_from_almost_2G_generator(self, size): ++ try: ++ t = tuple(xrange(size)) ++ count = 0 ++ for item in t: ++ self.assertEquals(item, count) ++ count += 1 ++ self.assertEquals(count, size) ++ except MemoryError: ++ pass # acceptable, expected on 32-bit ++ + # Like test_concat, split in two. + def basic_test_repr(self, size): + t = (0,) * size +@@ -957,8 +1041,23 @@ class ListTest(unittest.TestCase): + self.assertEquals(l[:10], [1] * 10) + self.assertEquals(l[-10:], [5] * 10) + ++class BufferTest(unittest.TestCase): ++ ++ @precisionbigmemtest(size=_1G, memuse=4) ++ def test_repeat(self, size): ++ try: ++ b = buffer("AAAA")*size ++ except MemoryError: ++ pass # acceptable on 32-bit ++ else: ++ count = 0 ++ for c in b: ++ self.assertEquals(c, 'A') ++ count += 1 ++ self.assertEquals(count, size*4) ++ + def test_main(): +- test_support.run_unittest(StrTest, TupleTest, ListTest) ++ test_support.run_unittest(StrTest, TupleTest, ListTest, BufferTest) + + if __name__ == '__main__': + if len(sys.argv) > 1: Index: patches/patch-Lib_test_test_ioctl_py =================================================================== RCS file: patches/patch-Lib_test_test_ioctl_py diff -N patches/patch-Lib_test_test_ioctl_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_test_ioctl_py 4 Aug 2008 15:17:15 -0000 @@ -0,0 +1,46 @@ +$OpenBSD$ +--- Lib/test/test_ioctl.py.orig Wed Sep 14 21:09:42 2005 ++++ Lib/test/test_ioctl.py Mon Aug 4 21:13:07 2008 +@@ -14,6 +14,11 @@ try: + except IOError: + raise TestSkipped("Unable to open /dev/tty") + ++try: ++ import pty ++except ImportError: ++ pty = None ++ + class IoctlTests(unittest.TestCase): + def test_ioctl(self): + # If this process has been put into the background, TIOCGPGRP returns +@@ -33,6 +38,30 @@ class IoctlTests(unittest.TestCase): + rpgrp = buf[0] + self.assertEquals(r, 0) + self.assert_(rpgrp in ids, "%s not in %s" % (rpgrp, ids)) ++ ++ def test_ioctl_signed_unsigned_code_param(self): ++ if not pty: ++ raise TestSkipped('pty module required') ++ mfd, sfd = pty.openpty() ++ try: ++ if termios.TIOCSWINSZ < 0: ++ set_winsz_opcode_maybe_neg = termios.TIOCSWINSZ ++ set_winsz_opcode_pos = termios.TIOCSWINSZ & 0xffffffffL ++ else: ++ set_winsz_opcode_pos = termios.TIOCSWINSZ ++ set_winsz_opcode_maybe_neg, = struct.unpack("i", ++ struct.pack("I", termios.TIOCSWINSZ)) ++ ++ # We're just testing that these calls do not raise exceptions. ++ saved_winsz = fcntl.ioctl(mfd, termios.TIOCGWINSZ, "\0"*8) ++ our_winsz = struct.pack("HHHH",80,25,0,0) ++ # test both with a positive and potentially negative ioctl code ++ new_winsz = fcntl.ioctl(mfd, set_winsz_opcode_pos, our_winsz) ++ new_winsz = fcntl.ioctl(mfd, set_winsz_opcode_maybe_neg, our_winsz) ++ fcntl.ioctl(mfd, set_winsz_opcode_maybe_neg, saved_winsz) ++ finally: ++ os.close(mfd) ++ os.close(sfd) + + def test_main(): + run_unittest(IoctlTests) Index: patches/patch-Lib_test_test_strop_py =================================================================== RCS file: patches/patch-Lib_test_test_strop_py diff -N patches/patch-Lib_test_test_strop_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_test_strop_py 4 Aug 2008 15:17:15 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ +--- Lib/test/test_strop.py.orig Wed Jul 31 02:27:12 2002 ++++ Lib/test/test_strop.py Mon Aug 4 21:13:01 2008 +@@ -115,6 +115,25 @@ class StropFunctionTestCase(unittest.TestCase): + strop.uppercase + strop.whitespace + ++ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=5) ++ def test_stropjoin_huge_list(self, size): ++ a = "A" * size ++ try: ++ r = strop.join([a, a], a) ++ except OverflowError: ++ pass ++ else: ++ self.assertEquals(len(r), len(a) * 3) ++ ++ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=1) ++ def test_stropjoin_huge_tup(self, size): ++ a = "A" * size ++ try: ++ r = strop.join((a, a), a) ++ except OverflowError: ++ pass # acceptable on 32-bit ++ else: ++ self.assertEquals(len(r), len(a) * 3) + + transtable = '\000\001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\02 1\022\023\024\025\026\027\030\031\032\033\034\035\036\037 !"#$%&\'()*+,-./0123456789:;< =>[EMAIL PROTECTED]|}~\177\200\201\202\203 \204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\23 1\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\2 57\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\ 305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332 \333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\36 0\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377' + Index: patches/patch-Lib_test_test_support_py =================================================================== RCS file: patches/patch-Lib_test_test_support_py diff -N patches/patch-Lib_test_test_support_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_test_support_py 4 Aug 2008 15:17:15 -0000 @@ -0,0 +1,63 @@ +$OpenBSD$ +--- Lib/test/test_support.py.orig Sun Jan 27 03:24:44 2008 ++++ Lib/test/test_support.py Mon Aug 4 21:13:02 2008 +@@ -33,6 +33,7 @@ verbose = 1 # Flag set to 0 by regrtest.p + use_resources = None # Flag set to [] by regrtest.py + max_memuse = 0 # Disable bigmem tests (they will still be run with + # small sizes, to make sure they work.) ++real_max_memuse = 0 + + # _original_stdout is meant to hold stdout at the time regrtest began. + # This may be "the real" stdout, or IDLE's emulation of stdout, or whatever. +@@ -323,6 +324,7 @@ def run_with_locale(catstr, *locales): + _1M = 1024*1024 + _1G = 1024 * _1M + _2G = 2 * _1G ++_4G = 4 * _1G + + # Hack to get at the maximum value an internal index can take. + class _Dummy: +@@ -333,6 +335,7 @@ MAX_Py_ssize_t = _Dummy()[:] + def set_memlimit(limit): + import re + global max_memuse ++ global real_max_memuse + sizes = { + 'k': 1024, + 'm': _1M, +@@ -344,6 +347,7 @@ def set_memlimit(limit): + if m is None: + raise ValueError('Invalid memory limit %r' % (limit,)) + memlimit = int(float(m.group(1)) * sizes[m.group(3).lower()]) ++ real_max_memuse = memlimit + if memlimit > MAX_Py_ssize_t: + memlimit = MAX_Py_ssize_t + if memlimit < _2G - 1: +@@ -384,6 +388,27 @@ def bigmemtest(minsize, memuse, overhead=5*_1M): + maxsize = max(maxsize - 50 * _1M, minsize) + return f(self, maxsize) + wrapper.minsize = minsize ++ wrapper.memuse = memuse ++ wrapper.overhead = overhead ++ return wrapper ++ return decorator ++ ++def precisionbigmemtest(size, memuse, overhead=5*_1M): ++ def decorator(f): ++ def wrapper(self): ++ if not real_max_memuse: ++ maxsize = 5147 ++ else: ++ maxsize = size ++ ++ if real_max_memuse and real_max_memuse < maxsize * memuse: ++ if verbose: ++ sys.stderr.write("Skipping %s because of memory " ++ "constraint\n" % (f.__name__,)) ++ return ++ ++ return f(self, maxsize) ++ wrapper.size = size + wrapper.memuse = memuse + wrapper.overhead = overhead + return wrapper Index: patches/patch-Modules_almodule_c =================================================================== RCS file: patches/patch-Modules_almodule_c diff -N patches/patch-Modules_almodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_almodule_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ +--- Modules/almodule.c.orig Mon Sep 25 09:53:42 2006 ++++ Modules/almodule.c Mon Aug 4 21:12:55 2008 +@@ -1633,9 +1633,11 @@ al_QueryValues(PyObject *self, PyObject *args) + if (nvals < 0) + goto cleanup; + if (nvals > setsize) { ++ ALvalue *old_return_set = return_set; + setsize = nvals; + PyMem_RESIZE(return_set, ALvalue, setsize); + if (return_set == NULL) { ++ return_set = old_return_set; + PyErr_NoMemory(); + goto cleanup; + } Index: patches/patch-Modules_arraymodule_c =================================================================== RCS file: patches/patch-Modules_arraymodule_c diff -N patches/patch-Modules_arraymodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_arraymodule_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,34 @@ +$OpenBSD$ +--- Modules/arraymodule.c.orig Fri Feb 15 21:11:46 2008 ++++ Modules/arraymodule.c Mon Aug 4 21:12:55 2008 +@@ -816,6 +816,7 @@ static int + array_do_extend(arrayobject *self, PyObject *bb) + { + Py_ssize_t size; ++ char *old_item; + + if (!array_Check(bb)) + return array_iter_extend(self, bb); +@@ -831,10 +832,11 @@ array_do_extend(arrayobject *self, PyObject *bb) + return -1; + } + size = self->ob_size + b->ob_size; ++ old_item = self->ob_item; + PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize); + if (self->ob_item == NULL) { +- PyObject_Del(self); +- PyErr_NoMemory(); ++ self->ob_item = old_item; ++ PyErr_NoMemory(); + return -1; + } + memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize, +@@ -886,7 +888,7 @@ array_inplace_repeat(arrayobject *self, Py_ssize_t n) + if (size > PY_SSIZE_T_MAX / n) { + return PyErr_NoMemory(); + } +- PyMem_Resize(items, char, n * size); ++ PyMem_RESIZE(items, char, n * size); + if (items == NULL) + return PyErr_NoMemory(); + p = items; Index: patches/patch-Modules_fcntlmodule_c =================================================================== RCS file: patches/patch-Modules_fcntlmodule_c diff -N patches/patch-Modules_fcntlmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_fcntlmodule_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ +--- Modules/fcntlmodule.c.orig Sat Jul 29 18:43:13 2006 ++++ Modules/fcntlmodule.c Mon Aug 4 21:13:07 2008 +@@ -97,11 +97,20 @@ fcntl_ioctl(PyObject *self, PyObject *args) + { + #define IOCTL_BUFSZ 1024 + int fd; +- /* In PyArg_ParseTuple below, use the unsigned int 'I' format for +- the signed int 'code' variable, because Python turns 0x8000000 +- into a large positive number (PyLong, or PyInt on 64-bit +- platforms,) whereas C expects it to be a negative int */ +- int code; ++ /* In PyArg_ParseTuple below, we use the unsigned non-checked 'I' ++ format for the 'code' parameter because Python turns 0x8000000 ++ into either a large positive number (PyLong or PyInt on 64-bit ++ platforms) or a negative number on others (32-bit PyInt) ++ whereas the system expects it to be a 32bit bit field value ++ regardless of it being passed as an int or unsigned long on ++ various platforms. See the termios.TIOCSWINSZ constant across ++ platforms for an example of thise. ++ ++ If any of the 64bit platforms ever decide to use more than 32bits ++ in their unsigned long ioctl codes this will break and need ++ special casing based on the platform being built on. ++ */ ++ unsigned int code; + int arg; + int ret; + char *str; Index: patches/patch-Modules_gcmodule_c =================================================================== RCS file: patches/patch-Modules_gcmodule_c diff -N patches/patch-Modules_gcmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_gcmodule_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,24 @@ +$OpenBSD$ +--- Modules/gcmodule.c.orig Mon Oct 9 22:42:33 2006 ++++ Modules/gcmodule.c Mon Aug 4 21:13:02 2008 +@@ -1318,7 +1318,10 @@ PyObject * + _PyObject_GC_Malloc(size_t basicsize) + { + PyObject *op; +- PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC( ++ PyGC_Head *g; ++ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) ++ return PyErr_NoMemory(); ++ g = (PyGC_Head *)PyObject_MALLOC( + sizeof(PyGC_Head) + basicsize); + if (g == NULL) + return PyErr_NoMemory(); +@@ -1361,6 +1364,8 @@ _PyObject_GC_Resize(PyVarObject *op, Py_ssize_t nitems + { + const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems); + PyGC_Head *g = AS_GC(op); ++ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) ++ return (PyVarObject *)PyErr_NoMemory(); + g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize); + if (g == NULL) + return (PyVarObject *)PyErr_NoMemory(); Index: patches/patch-Modules_mmapmodule_c =================================================================== RCS file: patches/patch-Modules_mmapmodule_c diff -N patches/patch-Modules_mmapmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_mmapmodule_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- Modules/mmapmodule.c.orig Tue Aug 22 16:57:07 2006 ++++ Modules/mmapmodule.c Mon Aug 4 21:13:02 2008 +@@ -223,7 +223,7 @@ mmap_read_method(mmap_object *self, + return(NULL); + + /* silently 'adjust' out-of-range requests */ +- if ((self->pos + num_bytes) > self->size) { ++ if (num_bytes > self->size - self->pos) { + num_bytes -= (self->pos+num_bytes) - self->size; + } + result = Py_BuildValue("s#", self->data+self->pos, num_bytes); Index: patches/patch-Modules_selectmodule_c =================================================================== RCS file: patches/patch-Modules_selectmodule_c diff -N patches/patch-Modules_selectmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_selectmodule_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,17 @@ +$OpenBSD$ +--- Modules/selectmodule.c.orig Mon Jul 10 04:18:57 2006 ++++ Modules/selectmodule.c Mon Aug 4 21:12:55 2008 +@@ -349,10 +349,12 @@ update_ufd_array(pollObject *self) + { + Py_ssize_t i, pos; + PyObject *key, *value; ++ struct pollfd *old_ufds = self->ufds; + + self->ufd_len = PyDict_Size(self->dict); +- PyMem_Resize(self->ufds, struct pollfd, self->ufd_len); ++ PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len); + if (self->ufds == NULL) { ++ self->ufds = old_ufds; + PyErr_NoMemory(); + return 0; + } Index: patches/patch-Modules_stropmodule_c =================================================================== RCS file: patches/patch-Modules_stropmodule_c diff -N patches/patch-Modules_stropmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_stropmodule_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,32 @@ +$OpenBSD$ +--- Modules/stropmodule.c.orig Thu Feb 14 13:26:18 2008 ++++ Modules/stropmodule.c Mon Aug 4 21:13:02 2008 +@@ -216,6 +216,13 @@ strop_joinfields(PyObject *self, PyObject *args) + return NULL; + } + slen = PyString_GET_SIZE(item); ++ if (slen > PY_SSIZE_T_MAX - reslen || ++ seplen > PY_SSIZE_T_MAX - reslen - seplen) { ++ PyErr_SetString(PyExc_OverflowError, ++ "input too long"); ++ Py_DECREF(res); ++ return NULL; ++ } + while (reslen + slen + seplen >= sz) { + if (_PyString_Resize(&res, sz * 2) < 0) + return NULL; +@@ -253,6 +260,14 @@ strop_joinfields(PyObject *self, PyObject *args) + return NULL; + } + slen = PyString_GET_SIZE(item); ++ if (slen > PY_SSIZE_T_MAX - reslen || ++ seplen > PY_SSIZE_T_MAX - reslen - seplen) { ++ PyErr_SetString(PyExc_OverflowError, ++ "input too long"); ++ Py_DECREF(res); ++ Py_XDECREF(item); ++ return NULL; ++ } + while (reslen + slen + seplen >= sz) { + if (_PyString_Resize(&res, sz * 2) < 0) { + Py_DECREF(item); Index: patches/patch-Objects_bufferobject_c =================================================================== RCS file: patches/patch-Objects_bufferobject_c diff -N patches/patch-Objects_bufferobject_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_bufferobject_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ +--- Objects/bufferobject.c.orig Thu Feb 14 13:26:18 2008 ++++ Objects/bufferobject.c Mon Aug 4 21:13:01 2008 +@@ -427,6 +427,10 @@ buffer_repeat(PyBufferObject *self, Py_ssize_t count) + count = 0; + if (!get_buf(self, &ptr, &size, ANY_BUFFER)) + return NULL; ++ if (count > PY_SSIZE_T_MAX / size) { ++ PyErr_SetString(PyExc_MemoryError, "result too large"); ++ return NULL; ++ } + ob = PyString_FromStringAndSize(NULL, size * count); + if ( ob == NULL ) + return NULL; Index: patches/patch-Objects_longobject_c =================================================================== RCS file: patches/patch-Objects_longobject_c diff -N patches/patch-Objects_longobject_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_longobject_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- Objects/longobject.c.orig Mon May 7 21:30:48 2007 ++++ Objects/longobject.c Mon Aug 4 21:13:01 2008 +@@ -70,6 +70,8 @@ _PyLong_New(Py_ssize_t size) + PyErr_NoMemory(); + return NULL; + } ++ /* XXX(nnorwitz): This can overflow -- ++ PyObject_NEW_VAR / _PyObject_VAR_SIZE need to detect overflow */ + return PyObject_NEW_VAR(PyLongObject, &PyLong_Type, size); + } + Index: patches/patch-Objects_obmalloc_c =================================================================== RCS file: patches/patch-Objects_obmalloc_c diff -N patches/patch-Objects_obmalloc_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_obmalloc_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,35 @@ +$OpenBSD$ +--- Objects/obmalloc.c.orig Thu Feb 14 13:26:18 2008 ++++ Objects/obmalloc.c Mon Aug 4 21:12:55 2008 +@@ -727,6 +727,15 @@ PyObject_Malloc(size_t nbytes) + uint size; + + /* ++ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes. ++ * Most python internals blindly use a signed Py_ssize_t to track ++ * things without checking for overflows or negatives. ++ * As size_t is unsigned, checking for nbytes < 0 is not required. ++ */ ++ if (nbytes > PY_SSIZE_T_MAX) ++ return NULL; ++ ++ /* + * This implicitly redirects malloc(0). + */ + if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) { +@@ -1129,6 +1138,15 @@ PyObject_Realloc(void *p, size_t nbytes) + + if (p == NULL) + return PyObject_Malloc(nbytes); ++ ++ /* ++ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes. ++ * Most python internals blindly use a signed Py_ssize_t to track ++ * things without checking for overflows or negatives. ++ * As size_t is unsigned, checking for nbytes < 0 is not required. ++ */ ++ if (nbytes > PY_SSIZE_T_MAX) ++ return NULL; + + pool = POOL_ADDR(p); + if (Py_ADDRESS_IN_RANGE(p, pool)) { Index: patches/patch-Objects_stringobject_c =================================================================== RCS file: patches/patch-Objects_stringobject_c diff -N patches/patch-Objects_stringobject_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_stringobject_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,50 @@ +$OpenBSD$ +--- Objects/stringobject.c.orig Wed Nov 7 03:19:49 2007 ++++ Objects/stringobject.c Mon Aug 4 21:13:01 2008 +@@ -71,6 +71,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t + return (PyObject *)op; + } + ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { ++ PyErr_SetString(PyExc_OverflowError, "string is too large"); ++ return NULL; ++ } ++ + /* Inline PyObject_NewVar */ + op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size); + if (op == NULL) +@@ -106,7 +111,7 @@ PyString_FromString(const char *str) + + assert(str != NULL); + size = strlen(str); +- if (size > PY_SSIZE_T_MAX) { ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { + PyErr_SetString(PyExc_OverflowError, + "string is too long for a Python string"); + return NULL; +@@ -967,14 +972,24 @@ string_concat(register PyStringObject *a, register PyO + Py_INCREF(a); + return (PyObject *)a; + } ++ /* Check that string sizes are not negative, to prevent an ++ overflow in cases where we are passed incorrectly-created ++ strings with negative lengths (due to a bug in other code). ++ */ + size = a->ob_size + b->ob_size; +- if (size < 0) { ++ if (a->ob_size < 0 || b->ob_size < 0 || ++ a->ob_size > PY_SSIZE_T_MAX - b->ob_size) { + PyErr_SetString(PyExc_OverflowError, + "strings are too large to concat"); + return NULL; + } + + /* Inline PyObject_NewVar */ ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { ++ PyErr_SetString(PyExc_OverflowError, ++ "strings are too large to concat"); ++ return NULL; ++ } + op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size); + if (op == NULL) + return PyErr_NoMemory(); Index: patches/patch-Objects_tupleobject_c =================================================================== RCS file: patches/patch-Objects_tupleobject_c diff -N patches/patch-Objects_tupleobject_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_tupleobject_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,18 @@ +$OpenBSD$ +--- Objects/tupleobject.c.orig Sat Aug 12 20:03:09 2006 ++++ Objects/tupleobject.c Mon Aug 4 21:13:01 2008 +@@ -60,11 +60,12 @@ PyTuple_New(register Py_ssize_t size) + Py_ssize_t nbytes = size * sizeof(PyObject *); + /* Check for overflow */ + if (nbytes / sizeof(PyObject *) != (size_t)size || +- (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *)) +- <= 0) ++ (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) - sizeof(PyObject *))) + { + return PyErr_NoMemory(); + } ++ nbytes += sizeof(PyTupleObject) - sizeof(PyObject *); ++ + op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size); + if (op == NULL) + return NULL; Index: patches/patch-Objects_unicodeobject_c =================================================================== RCS file: patches/patch-Objects_unicodeobject_c diff -N patches/patch-Objects_unicodeobject_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_unicodeobject_c 4 Aug 2008 15:17:16 -0000 @@ -0,0 +1,116 @@ +$OpenBSD$ +--- Objects/unicodeobject.c.orig Sat Nov 3 00:46:38 2007 ++++ Objects/unicodeobject.c Mon Aug 4 21:13:01 2008 +@@ -239,6 +239,11 @@ PyUnicodeObject *_PyUnicode_New(Py_ssize_t length) + return unicode_empty; + } + ++ /* Ensure we won't overflow the size. */ ++ if (length > ((PY_SSIZE_T_MAX / sizeof(Py_UNICODE)) - 1)) { ++ return (PyUnicodeObject *)PyErr_NoMemory(); ++ } ++ + /* Unicode freelist & memory allocation */ + if (unicode_freelist) { + unicode = unicode_freelist; +@@ -1091,6 +1096,9 @@ PyObject *PyUnicode_EncodeUTF7(const Py_UNICODE *s, + char * out; + char * start; + ++ if (cbAllocated / 5 != size) ++ return PyErr_NoMemory(); ++ + if (size == 0) + return PyString_FromStringAndSize(NULL, 0); + +@@ -1689,8 +1697,9 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *s, + { + PyObject *v; + unsigned char *p; ++ Py_ssize_t nsize, bytesize; + #ifdef Py_UNICODE_WIDE +- int i, pairs; ++ Py_ssize_t i, pairs; + #else + const int pairs = 0; + #endif +@@ -1713,8 +1722,15 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *s, + if (s[i] >= 0x10000) + pairs++; + #endif +- v = PyString_FromStringAndSize(NULL, +- 2 * (size + pairs + (byteorder == 0))); ++ /* 2 * (size + pairs + (byteorder == 0)) */ ++ if (size > PY_SSIZE_T_MAX || ++ size > PY_SSIZE_T_MAX - pairs - (byteorder == 0)) ++ return PyErr_NoMemory(); ++ nsize = (size + pairs + (byteorder == 0)); ++ bytesize = nsize * 2; ++ if (bytesize / 2 != nsize) ++ return PyErr_NoMemory(); ++ v = PyString_FromStringAndSize(NULL, bytesize); + if (v == NULL) + return NULL; + +@@ -2042,6 +2058,11 @@ PyObject *unicodeescape_string(const Py_UNICODE *s, + char *p; + + static const char *hexdigit = "0123456789abcdef"; ++#ifdef Py_UNICODE_WIDE ++ const Py_ssize_t expandsize = 10; ++#else ++ const Py_ssize_t expandsize = 6; ++#endif + + /* Initial allocation is based on the longest-possible unichr + escape. +@@ -2057,13 +2078,12 @@ PyObject *unicodeescape_string(const Py_UNICODE *s, + escape. + */ + ++ if (size > (PY_SSIZE_T_MAX - 2 - 1) / expandsize) ++ return PyErr_NoMemory(); ++ + repr = PyString_FromStringAndSize(NULL, + 2 +-#ifdef Py_UNICODE_WIDE +- + 10*size +-#else +- + 6*size +-#endif ++ + expandsize*size + + 1); + if (repr == NULL) + return NULL; +@@ -2304,12 +2324,16 @@ PyObject *PyUnicode_EncodeRawUnicodeEscape(const Py_UN + char *q; + + static const char *hexdigit = "0123456789abcdef"; +- + #ifdef Py_UNICODE_WIDE +- repr = PyString_FromStringAndSize(NULL, 10 * size); ++ const Py_ssize_t expandsize = 10; + #else +- repr = PyString_FromStringAndSize(NULL, 6 * size); ++ const Py_ssize_t expandsize = 6; + #endif ++ ++ if (size > PY_SSIZE_T_MAX / expandsize) ++ return PyErr_NoMemory(); ++ ++ repr = PyString_FromStringAndSize(NULL, expandsize * size); + if (repr == NULL) + return NULL; + if (size == 0) +@@ -4719,6 +4743,11 @@ PyUnicodeObject *pad(PyUnicodeObject *self, + return self; + } + ++ if (left > PY_SSIZE_T_MAX - self->length || ++ right > PY_SSIZE_T_MAX - (left + self->length)) { ++ PyErr_SetString(PyExc_OverflowError, "padded string is too long"); ++ return NULL; ++ } + u = _PyUnicode_New(left + self->length + right); + if (u) { + if (left)
