mirror of
				https://github.com/python/cpython.git
				synced 2025-10-21 14:12:27 +00:00 
			
		
		
		
	Issue #17016: Get rid of possible pointer wraparounds and integer overflows
in the re module. Patch by Nickolai Zeldovich.
This commit is contained in:
		
							parent
							
								
									f756f947f9
								
							
						
					
					
						commit
						4bb17348f5
					
				
					 3 changed files with 15 additions and 11 deletions
				
			
		|  | @ -1344,6 +1344,7 @@ Milan Zamazal | |||
| Artur Zaprzala | ||||
| Mike Zarnstorff | ||||
| Siebren van der Zee | ||||
| Nickolai Zeldovich | ||||
| Yuxiao Zeng | ||||
| Uwe Zessin | ||||
| Cheng Zhang | ||||
|  |  | |||
|  | @ -29,6 +29,9 @@ Core and Builtins | |||
| Library | ||||
| ------- | ||||
| 
 | ||||
| - Issue #17016: Get rid of possible pointer wraparounds and integer overflows | ||||
|   in the re module.  Patch by Nickolai Zeldovich. | ||||
| 
 | ||||
| - Issue #16658: add missing return to HTTPConnection.send() | ||||
|   Patch by Jeff Knupp. | ||||
| 
 | ||||
|  |  | |||
|  | @ -655,7 +655,7 @@ do { \ | |||
|     alloc_pos = state->data_stack_base; \ | ||||
|     TRACE(("allocating %s in %d (%d)\n", \ | ||||
|            SFY(type), alloc_pos, sizeof(type))); \ | ||||
|     if (state->data_stack_size < alloc_pos+sizeof(type)) { \ | ||||
|     if (sizeof(type) > state->data_stack_size - alloc_pos) { \ | ||||
|         int j = data_stack_grow(state, sizeof(type)); \ | ||||
|         if (j < 0) return j; \ | ||||
|         if (ctx_pos != -1) \ | ||||
|  | @ -675,7 +675,7 @@ do { \ | |||
| do { \ | ||||
|     TRACE(("copy data in %p to %d (%d)\n", \ | ||||
|            data, state->data_stack_base, size)); \ | ||||
|     if (state->data_stack_size < state->data_stack_base+size) { \ | ||||
|     if (size > state->data_stack_size - state->data_stack_base) { \ | ||||
|         int j = data_stack_grow(state, size); \ | ||||
|         if (j < 0) return j; \ | ||||
|         if (ctx_pos != -1) \ | ||||
|  | @ -997,7 +997,7 @@ entrance: | |||
|             TRACE(("|%p|%p|REPEAT_ONE %d %d\n", ctx->pattern, ctx->ptr, | ||||
|                    ctx->pattern[1], ctx->pattern[2])); | ||||
| 
 | ||||
|             if (ctx->ptr + state->charsize * ctx->pattern[1] > end) | ||||
|             if (ctx->pattern[1] > (end - ctx->ptr) / state->charsize) | ||||
|                 RETURN_FAILURE; /* cannot match */ | ||||
| 
 | ||||
|             state->ptr = ctx->ptr; | ||||
|  | @ -1081,7 +1081,7 @@ entrance: | |||
|             TRACE(("|%p|%p|MIN_REPEAT_ONE %d %d\n", ctx->pattern, ctx->ptr, | ||||
|                    ctx->pattern[1], ctx->pattern[2])); | ||||
| 
 | ||||
|             if (ctx->ptr + state->charsize * ctx->pattern[1] > end) | ||||
|             if (ctx->pattern[1] > (end - ctx->ptr) / state->charsize) | ||||
|                 RETURN_FAILURE; /* cannot match */ | ||||
| 
 | ||||
|             state->ptr = ctx->ptr; | ||||
|  | @ -2779,7 +2779,7 @@ _compile(PyObject* self_, PyObject* args) | |||
|         skip = *code;                                   \ | ||||
|         VTRACE(("%lu (skip to %p)\n",                   \ | ||||
|                (unsigned long)skip, code+skip));        \ | ||||
|         if (code+skip-adj < code || code+skip-adj > end)\ | ||||
|         if (skip-adj > end-code)                        \ | ||||
|             FAIL;                                       \ | ||||
|         code++;                                         \ | ||||
|     } while (0) | ||||
|  | @ -2812,7 +2812,7 @@ _validate_charset(SRE_CODE *code, SRE_CODE *end) | |||
| 
 | ||||
|         case SRE_OP_CHARSET: | ||||
|             offset = 32/sizeof(SRE_CODE); /* 32-byte bitmap */ | ||||
|             if (code+offset < code || code+offset > end) | ||||
|             if (offset > end-code) | ||||
|                 FAIL; | ||||
|             code += offset; | ||||
|             break; | ||||
|  | @ -2820,7 +2820,7 @@ _validate_charset(SRE_CODE *code, SRE_CODE *end) | |||
|         case SRE_OP_BIGCHARSET: | ||||
|             GET_ARG; /* Number of blocks */ | ||||
|             offset = 256/sizeof(SRE_CODE); /* 256-byte table */ | ||||
|             if (code+offset < code || code+offset > end) | ||||
|             if (offset > end-code) | ||||
|                 FAIL; | ||||
|             /* Make sure that each byte points to a valid block */ | ||||
|             for (i = 0; i < 256; i++) { | ||||
|  | @ -2829,7 +2829,7 @@ _validate_charset(SRE_CODE *code, SRE_CODE *end) | |||
|             } | ||||
|             code += offset; | ||||
|             offset = arg * 32/sizeof(SRE_CODE); /* 32-byte bitmap times arg */ | ||||
|             if (code+offset < code || code+offset > end) | ||||
|             if (offset > end-code) | ||||
|                 FAIL; | ||||
|             code += offset; | ||||
|             break; | ||||
|  | @ -2980,11 +2980,11 @@ _validate_inner(SRE_CODE *code, SRE_CODE *end, Py_ssize_t groups) | |||
|                     GET_ARG; prefix_len = arg; | ||||
|                     GET_ARG; | ||||
|                     /* Here comes the prefix string */ | ||||
|                     if (code+prefix_len < code || code+prefix_len > newcode) | ||||
|                     if (prefix_len > newcode-code) | ||||
|                         FAIL; | ||||
|                     code += prefix_len; | ||||
|                     /* And here comes the overlap table */ | ||||
|                     if (code+prefix_len < code || code+prefix_len > newcode) | ||||
|                     if (prefix_len > newcode-code) | ||||
|                         FAIL; | ||||
|                     /* Each overlap value should be < prefix_len */ | ||||
|                     for (i = 0; i < prefix_len; i++) { | ||||
|  | @ -3113,7 +3113,7 @@ _validate_inner(SRE_CODE *code, SRE_CODE *end, Py_ssize_t groups) | |||
|                to allow arbitrary jumps anywhere in the code; so we just look | ||||
|                for a JUMP opcode preceding our skip target. | ||||
|             */ | ||||
|             if (skip >= 3 && code+skip-3 >= code && | ||||
|             if (skip >= 3 && skip-3 < end-code && | ||||
|                 code[skip-3] == SRE_OP_JUMP) | ||||
|             { | ||||
|                 VTRACE(("both then and else parts present\n")); | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 Serhiy Storchaka
						Serhiy Storchaka