[issue26171] heap overflow in zipimporter module
Insu Yun
report at bugs.python.org
Wed Jan 20 22:52:33 EST 2016
New submission from Insu Yun:
in zipimport.c
1116 bytes_size = compress == 0 ? data_size : data_size + 1;
1117 if (bytes_size == 0)
1118 bytes_size++;
1119 raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);
If compress != 0, then bytes_size = data_size + 1
data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0.
In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap.
----------
files: crash.py
messages: 258733
nosy: Insu Yun
priority: normal
severity: normal
status: open
title: heap overflow in zipimporter module
type: security
versions: Python 3.6
Added file: http://bugs.python.org/file41677/crash.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26171>
_______________________________________
More information about the Python-bugs-list
mailing list