mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-10-03 13:45:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

backport r66496: integer overflow in _hashopenssl #3886

Browse source
This commit is contained in:
Benjamin Peterson 2008-09-18 01:27:26 +00:00
parent 308334d6a4
commit c610afbca4
3 changed files with 61 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

18
Lib/test/test_hashlib.py
View file

@ -9,7 +9,7 @@
import hashlib import hashlib
import unittest import unittest
from test import test_support from test import test_support
from test.test_support import _4G, precisionbigmemtest
def hexstr(s): def hexstr(s):
import string import string
@ -55,7 +55,6 @@ class HashLibTestCase(unittest.TestCase):
m2.update(aas + bees + cees) m2.update(aas + bees + cees)
self.assertEqual(m1.digest(), m2.digest()) self.assertEqual(m1.digest(), m2.digest())
def check(self, name, data, digest): def check(self, name, data, digest):
# test the direct constructors # test the direct constructors
computed = getattr(hashlib, name)(data).hexdigest() computed = getattr(hashlib, name)(data).hexdigest()
@ -75,6 +74,21 @@ class HashLibTestCase(unittest.TestCase):
self.check('md5', 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789', self.check('md5', 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',
'd174ab98d277d9f5a5611c2c9f419d9f') 'd174ab98d277d9f5a5611c2c9f419d9f')
@precisionbigmemtest(size=_4G + 5, memuse=1)
def test_case_md5_huge(self, size):
if size == _4G + 5:
try:
self.check('md5', 'A'*size, 'c9af2dff37468ce5dfee8f2cfc0a9c6d')
except OverflowError:
pass # 32-bit arch
@precisionbigmemtest(size=_4G - 1, memuse=1)
def test_case_md5_uintmax(self, size):
if size == _4G - 1:
try:
self.check('md5', 'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
except OverflowError:
pass # 32-bit arch
# use the three examples from Federal Information Processing Standards # use the three examples from Federal Information Processing Standards
# Publication 180-1, Secure Hash Standard, 1995 April 17 # Publication 180-1, Secure Hash Standard, 1995 April 17

3
Misc/NEWS
View file

@ -173,6 +173,9 @@ Library
Extension Modules Extension Modules
----------------- -----------------
- Issue 3886: [CVE-2008-2316] Possible integer overflow in the _hashopenssl
module was closed.
- Issue 1179: [CVE-2007-4965] Integer overflow in imageop module. - Issue 1179: [CVE-2007-4965] Integer overflow in imageop module.
Also fixes rgbimg module. Also fixes rgbimg module.

49
Modules/_hashopenssl.c
View file

@ -19,6 +19,8 @@
/* EVP is the preferred interface to hashing in OpenSSL */ /* EVP is the preferred interface to hashing in OpenSSL */
#include <openssl/evp.h> #include <openssl/evp.h>
#define MUNCH_SIZE INT_MAX
#ifndef HASH_OBJ_CONSTRUCTOR #ifndef HASH_OBJ_CONSTRUCTOR
#define HASH_OBJ_CONSTRUCTOR 0 #define HASH_OBJ_CONSTRUCTOR 0
@ -164,9 +166,18 @@ EVP_update(EVPobject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s#:update", &cp, &len)) if (!PyArg_ParseTuple(args, "s#:update", &cp, &len))
return NULL; return NULL;
if (len > 0 && len <= MUNCH_SIZE) {
EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
unsigned int)); unsigned int));
} else {
Py_ssize_t offset = 0;
while (len) {
unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
EVP_DigestUpdate(&self->ctx, cp + offset, process);
len -= process;
offset += process;
}
}
Py_INCREF(Py_None); Py_INCREF(Py_None);
return Py_None; return Py_None;
} }
@ -255,9 +266,20 @@ EVP_tp_init(EVPobject *self, PyObject *args, PyObject *kwds)
self->name = name_obj; self->name = name_obj;
Py_INCREF(self->name); Py_INCREF(self->name);
if (cp && len) if (cp && len) {
if (len > 0 && len <= MUNCH_SIZE) {
EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
unsigned int)); unsigned int));
} else {
Py_ssize_t offset = 0;
while (len) {
unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
EVP_DigestUpdate(&self->ctx, cp + offset, process);
len -= process;
offset += process;
}
}
}
return 0; return 0;
} }
@ -328,7 +350,7 @@ static PyTypeObject EVPtype = {
static PyObject * static PyObject *
EVPnew(PyObject *name_obj, EVPnew(PyObject *name_obj,
const EVP_MD *digest, const EVP_MD_CTX *initial_ctx, const EVP_MD *digest, const EVP_MD_CTX *initial_ctx,
const unsigned char *cp, unsigned int len) const unsigned char *cp, Py_ssize_t len)
{ {
EVPobject *self; EVPobject *self;
@ -346,8 +368,20 @@ EVPnew(PyObject *name_obj,
EVP_DigestInit(&self->ctx, digest); EVP_DigestInit(&self->ctx, digest);
} }
if (cp && len) if (cp && len) {
EVP_DigestUpdate(&self->ctx, cp, len); if (len > 0 && len <= MUNCH_SIZE) {
EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
unsigned int));
} else {
Py_ssize_t offset = 0;
while (len) {
unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
EVP_DigestUpdate(&self->ctx, cp + offset, process);
len -= process;
offset += process;
}
}
}
return (PyObject *)self; return (PyObject *)self;
} }
@ -384,8 +418,7 @@ EVP_new(PyObject *self, PyObject *args, PyObject *kwdict)
digest = EVP_get_digestbyname(name); digest = EVP_get_digestbyname(name);
return EVPnew(name_obj, digest, NULL, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, return EVPnew(name_obj, digest, NULL, cp, len);
unsigned int));
} }
/* /*
@ -410,7 +443,7 @@ EVP_new(PyObject *self, PyObject *args, PyObject *kwdict)
CONST_ ## NAME ## _name_obj, \ CONST_ ## NAME ## _name_obj, \
NULL, \ NULL, \
CONST_new_ ## NAME ## _ctx_p, \ CONST_new_ ## NAME ## _ctx_p, \
cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int)); \ cp, len); \
} }
/* a PyMethodDef structure for the constructor */ /* a PyMethodDef structure for the constructor */