cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes for multiple security vulnerabilities:

Browse Source 
CVE-2008-1679 CVE-2008-1721 CVE-2008-1887
        CVE-2008-2316 CVE-2008-3142 CVE-2008-3144

Patches cherrypicked with assistance of val.masutin AT gmail.com and
Toni Mueller.

Tested by sthen@ naddy@ ok pvalchev@
This commit is contained in:
djm 2008-08-06 03:23:31 +00:00
parent dc3d9238b4
commit d39c4b92ff
27 changed files with 1243 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lang/python/2.5/Makefile
View File

@ -1,8 +1,8 @@
# $OpenBSD: Makefile,v 1.23 2008/07/25 19:32:21 sthen Exp $
# $OpenBSD: Makefile,v 1.24 2008/08/06 03:23:31 djm Exp $
VERSION= 2.5
PATCHLEVEL= .2
PKG_PATCHLEVEL= p3
PKG_PATCHLEVEL= p4
SHARED_LIBS= python2.5 1.0
# PSUBDIR= python/${VERSION}

59
lang/python/2.5/patches/patch-Include_pymem_h Normal file
View File

@ -0,0 +1,59 @@
$OpenBSD: patch-Include_pymem_h,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Include/pymem.h.orig Thu Feb 14 22:26:18 2008
+++ Include/pymem.h Tue Aug 5 18:18:52 2008
@@ -67,8 +67,12 @@ PyAPI_FUNC(void) PyMem_Free(void *);
for malloc(0), which would be treated as an error. Some platforms
would return a pointer with no memory behind it, which would break
pymalloc. To solve these problems, allocate an extra byte. */
-#define PyMem_MALLOC(n) malloc((n) ? (n) : 1)
-#define PyMem_REALLOC(p, n) realloc((p), (n) ? (n) : 1)
+/* Returns NULL to indicate error if a negative size or size larger than
+ Py_ssize_t can represent is supplied. Helps prevents security holes. */
+#define PyMem_MALLOC(n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \
+ : malloc((n) ? (n) : 1))
+#define PyMem_REALLOC(p, n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \
+ : realloc((p), (n) ? (n) : 1))
#define PyMem_FREE free
#endif /* PYMALLOC_DEBUG */
@@ -77,24 +81,31 @@ PyAPI_FUNC(void) PyMem_Free(void *);
* Type-oriented memory interface
* ==============================
*
- * These are carried along for historical reasons. There's rarely a good
- * reason to use them anymore (you can just as easily do the multiply and
- * cast yourself).
+ * Allocate memory for n objects of the given type. Returns a new pointer
+ * or NULL if the request was too large or memory allocation failed. Use
+ * these macros rather than doing the multiplication yourself so that proper
+ * overflow checking is always done.
*/
#define PyMem_New(type, n) \
- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
#define PyMem_NEW(type, n) \
- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
+/*
+ * The value of (p) is always clobbered by this macro regardless of success.
+ * The caller MUST check if (p) is NULL afterwards and deal with the memory
+ * error if so. This means the original value of (p) MUST be saved for the
+ * caller's memory error handler to not lose track of it.
+ */
#define PyMem_Resize(p, type, n) \
- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
- ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
+ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
+ (type *) PyMem_Realloc((p), (n) * sizeof(type)) )
#define PyMem_RESIZE(p, type, n) \
- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
- ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
+ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
+ (type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
/* PyMem{Del,DEL} are left over from ancient days, and shouldn't be used
* anymore. They're just confusing aliases for PyMem_{Free,FREE} now.

22
lang/python/2.5/patches/patch-Lib_test_seq_tests_py Normal file
View File

@ -0,0 +1,22 @@
$OpenBSD: patch-Lib_test_seq_tests_py,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Lib/test/seq_tests.py.orig Tue Nov 13 07:04:41 2007
+++ Lib/test/seq_tests.py Tue Aug 5 18:18:52 2008
@@ -307,11 +307,13 @@ class CommonTest(unittest.TestCase):
self.assertEqual(id(s), id(s*1))
def test_bigrepeat(self):
- x = self.type2test([0])
- x *= 2**16
- self.assertRaises(MemoryError, x.__mul__, 2**16)
- if hasattr(x, '__imul__'):
- self.assertRaises(MemoryError, x.__imul__, 2**16)
+ import sys
+ if sys.maxint <= 2147483647:
+ x = self.type2test([0])
+ x *= 2**16
+ self.assertRaises(MemoryError, x.__mul__, 2**16)
+ if hasattr(x, '__imul__'):
+ self.assertRaises(MemoryError, x.__imul__, 2**16)
def test_subscript(self):
a = self.type2test([10, 11])

154
lang/python/2.5/patches/patch-Lib_test_test_bigmem_py Normal file
View File

@ -0,0 +1,154 @@
$OpenBSD: patch-Lib_test_test_bigmem_py,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Lib/test/test_bigmem.py.orig Sat Dec 1 08:53:17 2007
+++ Lib/test/test_bigmem.py Tue Aug 5 18:18:52 2008
@@ -1,5 +1,5 @@
from test import test_support
-from test.test_support import bigmemtest, _1G, _2G
+from test.test_support import bigmemtest, _1G, _2G, _4G, precisionbigmemtest
import unittest
import operator
@@ -54,6 +54,22 @@ class StrTest(unittest.TestCase):
self.assertEquals(s[lpadsize:-rpadsize], SUBSTR)
self.assertEquals(s.strip(), SUBSTR.strip())
+ @precisionbigmemtest(size=_2G - 1, memuse=1)
+ def test_center_unicode(self, size):
+ SUBSTR = u' abc def ghi'
+ try:
+ s = SUBSTR.center(size)
+ except OverflowError:
+ pass # acceptable on 32-bit
+ else:
+ self.assertEquals(len(s), size)
+ lpadsize = rpadsize = (len(s) - len(SUBSTR)) // 2
+ if len(s) % 2:
+ lpadsize += 1
+ self.assertEquals(s[lpadsize:-rpadsize], SUBSTR)
+ self.assertEquals(s.strip(), SUBSTR.strip())
+ del s
+
@bigmemtest(minsize=_2G, memuse=2)
def test_count(self, size):
SUBSTR = ' abc def ghi'
@@ -70,11 +86,45 @@ class StrTest(unittest.TestCase):
s = '.' * size
self.assertEquals(len(s.decode('utf-8')), size)
+ def basic_encode_test(self, size, enc, c=u'.', expectedsize=None):
+ if expectedsize is None:
+ expectedsize = size
+
+ s = c * size
+ self.assertEquals(len(s.encode(enc)), expectedsize)
+
@bigmemtest(minsize=_2G + 2, memuse=3)
def test_encode(self, size):
- s = u'.' * size
- self.assertEquals(len(s.encode('utf-8')), size)
+ return self.basic_encode_test(size, 'utf-8')
+ @precisionbigmemtest(size=_4G / 6 + 2, memuse=2)
+ def test_encode_raw_unicode_escape(self, size):
+ try:
+ return self.basic_encode_test(size, 'raw_unicode_escape')
+ except MemoryError:
+ pass # acceptable on 32-bit
+
+ @precisionbigmemtest(size=_4G / 5 + 70, memuse=3)
+ def test_encode_utf7(self, size):
+ try:
+ return self.basic_encode_test(size, 'utf7')
+ except MemoryError:
+ pass # acceptable on 32-bit
+
+ @precisionbigmemtest(size=_2G-1, memuse=2)
+ def test_decodeascii(self, size):
+ return self.basic_encode_test(size, 'ascii', c='A')
+
+ @precisionbigmemtest(size=_4G / 5, memuse=6+2)
+ def test_unicode_repr_oflw(self, size):
+ try:
+ s = u"\uAAAA"*size
+ r = repr(s)
+ except MemoryError:
+ pass # acceptable on 32-bit
+ else:
+ self.failUnless(s == eval(r))
+
@bigmemtest(minsize=_2G, memuse=2)
def test_endswith(self, size):
SUBSTR = ' abc def ghi'
@@ -459,6 +509,11 @@ class StrTest(unittest.TestCase):
self.assertEquals(s.count('\\'), size)
self.assertEquals(s.count('0'), size * 2)
+ @bigmemtest(minsize=2**32 / 5, memuse=6+2)
+ def test_unicode_repr(self, size):
+ s = u"\uAAAA" * size
+ self.failUnless(len(repr(s)) > size)
+
# This test is meaningful even with size < 2G, as long as the
# doubled string is > 2G (but it tests more if both are > 2G :)
@bigmemtest(minsize=_1G + 2, memuse=3)
@@ -642,6 +697,35 @@ class TupleTest(unittest.TestCase):
def test_repeat_large(self, size):
return self.basic_test_repeat(size)
+ @bigmemtest(minsize=_1G - 1, memuse=12)
+ def test_repeat_large_2(self, size):
+ return self.basic_test_repeat(size)
+
+ @precisionbigmemtest(size=_1G - 1, memuse=9)
+ def test_from_2G_generator(self, size):
+ try:
+ t = tuple(xrange(size))
+ except MemoryError:
+ pass # acceptable on 32-bit
+ else:
+ count = 0
+ for item in t:
+ self.assertEquals(item, count)
+ count += 1
+ self.assertEquals(count, size)
+
+ @precisionbigmemtest(size=_1G - 25, memuse=9)
+ def test_from_almost_2G_generator(self, size):
+ try:
+ t = tuple(xrange(size))
+ count = 0
+ for item in t:
+ self.assertEquals(item, count)
+ count += 1
+ self.assertEquals(count, size)
+ except MemoryError:
+ pass # acceptable, expected on 32-bit
+
# Like test_concat, split in two.
def basic_test_repr(self, size):
t = (0,) * size
@@ -957,8 +1041,23 @@ class ListTest(unittest.TestCase):
self.assertEquals(l[:10], [1] * 10)
self.assertEquals(l[-10:], [5] * 10)
+class BufferTest(unittest.TestCase):
+
+ @precisionbigmemtest(size=_1G, memuse=4)
+ def test_repeat(self, size):
+ try:
+ b = buffer("AAAA")*size
+ except MemoryError:
+ pass # acceptable on 32-bit
+ else:
+ count = 0
+ for c in b:
+ self.assertEquals(c, 'A')
+ count += 1
+ self.assertEquals(count, size*4)
+
def test_main():
- test_support.run_unittest(StrTest, TupleTest, ListTest)
+ test_support.run_unittest(StrTest, TupleTest, ListTest, BufferTest)
if __name__ == '__main__':
if len(sys.argv) > 1:

46
lang/python/2.5/patches/patch-Lib_test_test_ioctl_py Normal file
View File

@ -0,0 +1,46 @@
$OpenBSD: patch-Lib_test_test_ioctl_py,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Lib/test/test_ioctl.py.orig Thu Sep 15 04:09:42 2005
+++ Lib/test/test_ioctl.py Tue Aug 5 18:18:52 2008
@@ -14,6 +14,11 @@ try:
except IOError:
raise TestSkipped("Unable to open /dev/tty")
+try:
+ import pty
+except ImportError:
+ pty = None
+
class IoctlTests(unittest.TestCase):
def test_ioctl(self):
# If this process has been put into the background, TIOCGPGRP returns
@@ -33,6 +38,30 @@ class IoctlTests(unittest.TestCase):
rpgrp = buf[0]
self.assertEquals(r, 0)
self.assert_(rpgrp in ids, "%s not in %s" % (rpgrp, ids))
+
+ def test_ioctl_signed_unsigned_code_param(self):
+ if not pty:
+ raise TestSkipped('pty module required')
+ mfd, sfd = pty.openpty()
+ try:
+ if termios.TIOCSWINSZ < 0:
+ set_winsz_opcode_maybe_neg = termios.TIOCSWINSZ
+ set_winsz_opcode_pos = termios.TIOCSWINSZ & 0xffffffffL
+ else:
+ set_winsz_opcode_pos = termios.TIOCSWINSZ
+ set_winsz_opcode_maybe_neg, = struct.unpack("i",
+ struct.pack("I", termios.TIOCSWINSZ))
+
+ # We're just testing that these calls do not raise exceptions.
+ saved_winsz = fcntl.ioctl(mfd, termios.TIOCGWINSZ, "\0"*8)
+ our_winsz = struct.pack("HHHH",80,25,0,0)
+ # test both with a positive and potentially negative ioctl code
+ new_winsz = fcntl.ioctl(mfd, set_winsz_opcode_pos, our_winsz)
+ new_winsz = fcntl.ioctl(mfd, set_winsz_opcode_maybe_neg, our_winsz)
+ fcntl.ioctl(mfd, set_winsz_opcode_maybe_neg, saved_winsz)
+ finally:
+ os.close(mfd)
+ os.close(sfd)
def test_main():
run_unittest(IoctlTests)

29
lang/python/2.5/patches/patch-Lib_test_test_strop_py Normal file
View File

@ -0,0 +1,29 @@
$OpenBSD: patch-Lib_test_test_strop_py,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Lib/test/test_strop.py.orig Wed Jul 31 09:27:12 2002
+++ Lib/test/test_strop.py Tue Aug 5 18:18:52 2008
@@ -115,6 +115,25 @@ class StropFunctionTestCase(unittest.TestCase):
strop.uppercase
strop.whitespace
+ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=5)
+ def test_stropjoin_huge_list(self, size):
+ a = "A" * size
+ try:
+ r = strop.join([a, a], a)
+ except OverflowError:
+ pass
+ else:
+ self.assertEquals(len(r), len(a) * 3)
+
+ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=1)
+ def test_stropjoin_huge_tup(self, size):
+ a = "A" * size
+ try:
+ r = strop.join((a, a), a)
+ except OverflowError:
+ pass # acceptable on 32-bit
+ else:
+ self.assertEquals(len(r), len(a) * 3)
transtable = '\000\001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037 !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`xyzdefghijklmnopqrstuvwxyz{|}~\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377'

63
lang/python/2.5/patches/patch-Lib_test_test_support_py Normal file
View File

@ -0,0 +1,63 @@
$OpenBSD: patch-Lib_test_test_support_py,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Lib/test/test_support.py.orig Sun Jan 27 12:24:44 2008
+++ Lib/test/test_support.py Tue Aug 5 18:18:52 2008
@@ -33,6 +33,7 @@ verbose = 1 # Flag set to 0 by regrtest.p
use_resources = None # Flag set to [] by regrtest.py
max_memuse = 0 # Disable bigmem tests (they will still be run with
# small sizes, to make sure they work.)
+real_max_memuse = 0
# _original_stdout is meant to hold stdout at the time regrtest began.
# This may be "the real" stdout, or IDLE's emulation of stdout, or whatever.
@@ -323,6 +324,7 @@ def run_with_locale(catstr, *locales):
_1M = 1024*1024
_1G = 1024 * _1M
_2G = 2 * _1G
+_4G = 4 * _1G
# Hack to get at the maximum value an internal index can take.
class _Dummy:
@@ -333,6 +335,7 @@ MAX_Py_ssize_t = _Dummy()[:]
def set_memlimit(limit):
import re
global max_memuse
+ global real_max_memuse
sizes = {
'k': 1024,
'm': _1M,
@@ -344,6 +347,7 @@ def set_memlimit(limit):
if m is None:
raise ValueError('Invalid memory limit %r' % (limit,))
memlimit = int(float(m.group(1)) * sizes[m.group(3).lower()])
+ real_max_memuse = memlimit
if memlimit > MAX_Py_ssize_t:
memlimit = MAX_Py_ssize_t
if memlimit < _2G - 1:
@@ -384,6 +388,27 @@ def bigmemtest(minsize, memuse, overhead=5*_1M):
maxsize = max(maxsize - 50 * _1M, minsize)
return f(self, maxsize)
wrapper.minsize = minsize
+ wrapper.memuse = memuse
+ wrapper.overhead = overhead
+ return wrapper
+ return decorator
+
+def precisionbigmemtest(size, memuse, overhead=5*_1M):
+ def decorator(f):
+ def wrapper(self):
+ if not real_max_memuse:
+ maxsize = 5147
+ else:
+ maxsize = size
+
+ if real_max_memuse and real_max_memuse < maxsize * memuse:
+ if verbose:
+ sys.stderr.write("Skipping %s because of memory "
+ "constraint\n" % (f.__name__,))
+ return
+
+ return f(self, maxsize)
+ wrapper.size = size
wrapper.memuse = memuse
wrapper.overhead = overhead
return wrapper

13
lang/python/2.5/patches/patch-Lib_test_test_unicode_py Normal file
View File

@ -0,0 +1,13 @@
$OpenBSD: patch-Lib_test_test_unicode_py,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Lib/test/test_unicode.py.orig Mon Jun 11 14:31:25 2007
+++ Lib/test/test_unicode.py Tue Aug 5 18:18:52 2008
@@ -532,6 +532,9 @@ class UnicodeTest(
self.assertEqual(unicode('+3ADYAA-', 'utf-7', 'replace'), u'\ufffd')
+ # Issue #2242: crash on some Windows/MSVC versions
+ self.assertRaises(UnicodeDecodeError, '+\xc1'.decode, 'utf-7')
+
def test_codecs_utf8(self):
self.assertEqual(u''.encode('utf-8'), '')
self.assertEqual(u'\u20ac'.encode('utf-8'), '\xe2\x82\xac')

15
lang/python/2.5/patches/patch-Lib_test_test_zlib_py Normal file
View File

@ -0,0 +1,15 @@
$OpenBSD: patch-Lib_test_test_zlib_py,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Lib/test/test_zlib.py.orig Mon Jun 12 13:33:09 2006
+++ Lib/test/test_zlib.py Tue Aug 5 18:18:52 2008
@@ -71,6 +71,11 @@ class ExceptionTestCase(unittest.TestCase):
# verify failure on building decompress object with bad params
self.assertRaises(ValueError, zlib.decompressobj, 0)
+ def test_decompressobj_badflush(self):
+ # verify failure on calling decompressobj.flush with bad params
+ self.assertRaises(ValueError, zlib.decompressobj().flush, 0)
+ self.assertRaises(ValueError, zlib.decompressobj().flush, -1)
+
class CompressTestCase(unittest.TestCase):

108
lang/python/2.5/patches/patch-Modules__hashopenssl_c Normal file
View File

@ -0,0 +1,108 @@
$OpenBSD: patch-Modules__hashopenssl_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/_hashopenssl.c.orig Tue May 30 07:04:52 2006
+++ Modules/_hashopenssl.c Tue Aug 5 21:04:47 2008
@@ -19,7 +19,9 @@
/* EVP is the preferred interface to hashing in OpenSSL */
#include <openssl/evp.h>
+#define MUNCH_SIZE INT_MAX
+
#ifndef HASH_OBJ_CONSTRUCTOR
#define HASH_OBJ_CONSTRUCTOR 0
#endif
@@ -164,9 +166,18 @@ EVP_update(EVPobject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s#:update", &cp, &len))
return NULL;
+ if (len > 0 && len <= MUNCH_SIZE) {
EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
unsigned int));
-
+ } else {
+ Py_ssize_t offset = 0;
+ while (len) {
+ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
+ EVP_DigestUpdate(&self->ctx, cp + offset, process);
+ len -= process;
+ offset += process;
+ }
+ }
Py_INCREF(Py_None);
return Py_None;
}
@@ -255,10 +266,21 @@ EVP_tp_init(EVPobject *self, PyObject *args, PyObject
self->name = name_obj;
Py_INCREF(self->name);
- if (cp && len)
+ if (cp && len) {
+ if (len > 0 && len <= MUNCH_SIZE) {
EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
unsigned int));
-
+ } else {
+ Py_ssize_t offset = 0;
+ while (len) {
+ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
+ EVP_DigestUpdate(&self->ctx, cp + offset, process);
+ len -= process;
+ offset += process;
+ }
+ }
+ }
+
return 0;
}
#endif
@@ -328,7 +350,7 @@ static PyTypeObject EVPtype = {
static PyObject *
EVPnew(PyObject *name_obj,
const EVP_MD *digest, const EVP_MD_CTX *initial_ctx,
- const unsigned char *cp, unsigned int len)
+ const unsigned char *cp, Py_ssize_t len)
{
EVPobject *self;
@@ -346,8 +368,20 @@ EVPnew(PyObject *name_obj,
EVP_DigestInit(&self->ctx, digest);
}
- if (cp && len)
- EVP_DigestUpdate(&self->ctx, cp, len);
+ if (cp && len) {
+ if (len > 0 && len <= MUNCH_SIZE) {
+ EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
+ unsigned int));
+ } else {
+ Py_ssize_t offset = 0;
+ while (len) {
+ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
+ EVP_DigestUpdate(&self->ctx, cp + offset, process);
+ len -= process;
+ offset += process;
+ }
+ }
+ }
return (PyObject *)self;
}
@@ -384,8 +418,7 @@ EVP_new(PyObject *self, PyObject *args, PyObject *kwdi
digest = EVP_get_digestbyname(name);
- return EVPnew(name_obj, digest, NULL, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
- unsigned int));
+ return EVPnew(name_obj, digest, NULL, cp, len);
}
/*
@@ -410,7 +443,7 @@ EVP_new(PyObject *self, PyObject *args, PyObject *kwdi
CONST_ ## NAME ## _name_obj, \
NULL, \
CONST_new_ ## NAME ## _ctx_p, \
- cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int)); \
+ cp, len); \
}
/* a PyMethodDef structure for the constructor */

15
lang/python/2.5/patches/patch-Modules_almodule_c Normal file
View File

@ -0,0 +1,15 @@
$OpenBSD: patch-Modules_almodule_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/almodule.c.orig Mon Sep 25 16:53:42 2006
+++ Modules/almodule.c Tue Aug 5 18:18:52 2008
@@ -1633,9 +1633,11 @@ al_QueryValues(PyObject *self, PyObject *args)
if (nvals < 0)
goto cleanup;
if (nvals > setsize) {
+ ALvalue *old_return_set = return_set;
setsize = nvals;
PyMem_RESIZE(return_set, ALvalue, setsize);
if (return_set == NULL) {
+ return_set = old_return_set;
PyErr_NoMemory();
goto cleanup;
}

34
lang/python/2.5/patches/patch-Modules_arraymodule_c Normal file
View File

@ -0,0 +1,34 @@
$OpenBSD: patch-Modules_arraymodule_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/arraymodule.c.orig Sat Feb 16 06:11:46 2008
+++ Modules/arraymodule.c Tue Aug 5 18:18:52 2008
@@ -816,6 +816,7 @@ static int
array_do_extend(arrayobject *self, PyObject *bb)
{
Py_ssize_t size;
+ char *old_item;
if (!array_Check(bb))
return array_iter_extend(self, bb);
@@ -831,10 +832,11 @@ array_do_extend(arrayobject *self, PyObject *bb)
return -1;
}
size = self->ob_size + b->ob_size;
+ old_item = self->ob_item;
PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);
if (self->ob_item == NULL) {
- PyObject_Del(self);
- PyErr_NoMemory();
+ self->ob_item = old_item;
+ PyErr_NoMemory();
return -1;
}
memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize,
@@ -886,7 +888,7 @@ array_inplace_repeat(arrayobject *self, Py_ssize_t n)
if (size > PY_SSIZE_T_MAX / n) {
return PyErr_NoMemory();
}
- PyMem_Resize(items, char, n * size);
+ PyMem_RESIZE(items, char, n * size);
if (items == NULL)
return PyErr_NoMemory();
p = items;

29
lang/python/2.5/patches/patch-Modules_fcntlmodule_c Normal file
View File

@ -0,0 +1,29 @@
$OpenBSD: patch-Modules_fcntlmodule_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/fcntlmodule.c.orig Sun Jul 30 01:43:13 2006
+++ Modules/fcntlmodule.c Tue Aug 5 18:18:52 2008
@@ -97,11 +97,20 @@ fcntl_ioctl(PyObject *self, PyObject *args)
{
#define IOCTL_BUFSZ 1024
int fd;
- /* In PyArg_ParseTuple below, use the unsigned int 'I' format for
- the signed int 'code' variable, because Python turns 0x8000000
- into a large positive number (PyLong, or PyInt on 64-bit
- platforms,) whereas C expects it to be a negative int */
- int code;
+ /* In PyArg_ParseTuple below, we use the unsigned non-checked 'I'
+ format for the 'code' parameter because Python turns 0x8000000
+ into either a large positive number (PyLong or PyInt on 64-bit
+ platforms) or a negative number on others (32-bit PyInt)
+ whereas the system expects it to be a 32bit bit field value
+ regardless of it being passed as an int or unsigned long on
+ various platforms. See the termios.TIOCSWINSZ constant across
+ platforms for an example of thise.
+
+ If any of the 64bit platforms ever decide to use more than 32bits
+ in their unsigned long ioctl codes this will break and need
+ special casing based on the platform being built on.
+ */
+ unsigned int code;
int arg;
int ret;
char *str;

24
lang/python/2.5/patches/patch-Modules_gcmodule_c Normal file
View File

@ -0,0 +1,24 @@
$OpenBSD: patch-Modules_gcmodule_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/gcmodule.c.orig Tue Oct 10 05:42:33 2006
+++ Modules/gcmodule.c Tue Aug 5 18:18:52 2008
@@ -1318,7 +1318,10 @@ PyObject *
_PyObject_GC_Malloc(size_t basicsize)
{
PyObject *op;
- PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC(
+ PyGC_Head *g;
+ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
+ return PyErr_NoMemory();
+ g = (PyGC_Head *)PyObject_MALLOC(
sizeof(PyGC_Head) + basicsize);
if (g == NULL)
return PyErr_NoMemory();
@@ -1361,6 +1364,8 @@ _PyObject_GC_Resize(PyVarObject *op, Py_ssize_t nitems
{
const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems);
PyGC_Head *g = AS_GC(op);
+ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
+ return (PyVarObject *)PyErr_NoMemory();
g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize);
if (g == NULL)
return (PyVarObject *)PyErr_NoMemory();

218
lang/python/2.5/patches/patch-Modules_imageop_c Normal file
View File

@ -0,0 +1,218 @@
$OpenBSD: patch-Modules_imageop_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/imageop.c.orig Thu Jan 19 17:09:39 2006
+++ Modules/imageop.c Tue Aug 5 18:18:52 2008
@@ -78,7 +78,7 @@ imageop_crop(PyObject *self, PyObject *args)
char *cp, *ncp;
short *nsp;
Py_Int32 *nlp;
- int len, size, x, y, newx1, newx2, newy1, newy2;
+ int len, size, x, y, newx1, newx2, newy1, newy2, nlen;
int ix, iy, xstep, ystep;
PyObject *rv;
@@ -90,13 +90,19 @@ imageop_crop(PyObject *self, PyObject *args)
PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
return 0;
}
- if ( len != size*x*y ) {
+ if (( len != size*x*y ) ||
+ ( size != ((len / x) / y) )) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
xstep = (newx1 < newx2)? 1 : -1;
ystep = (newy1 < newy2)? 1 : -1;
+ nlen = (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size;
+ if ( size != ((nlen / (abs(newx2-newx1)+1)) / (abs(newy2-newy1)+1)) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
rv = PyString_FromStringAndSize(NULL,
(abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size);
if ( rv == 0 )
@@ -132,7 +138,7 @@ imageop_scale(PyObject *self, PyObject *args)
char *cp, *ncp;
short *nsp;
Py_Int32 *nlp;
- int len, size, x, y, newx, newy;
+ int len, size, x, y, newx, newy, nlen;
int ix, iy;
int oix, oiy;
PyObject *rv;
@@ -145,12 +151,18 @@ imageop_scale(PyObject *self, PyObject *args)
PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
return 0;
}
- if ( len != size*x*y ) {
+ if ( ( len != size*x*y ) ||
+ ( size != ((len / x) / y) ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
+ nlen = newx*newy*size;
+ if ( size != ((nlen / newx) / newy) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
- rv = PyString_FromStringAndSize(NULL, newx*newy*size);
+ rv = PyString_FromStringAndSize(NULL, nlen);
if ( rv == 0 )
return 0;
ncp = (char *)PyString_AsString(rv);
@@ -190,7 +202,8 @@ imageop_tovideo(PyObject *self, PyObject *args)
PyErr_SetString(ImageopError, "Size should be 1 or 4");
return 0;
}
- if ( maxx*maxy*width != len ) {
+ if ( ( maxx*maxy*width != len ) ||
+ ( maxx != ((len / maxy) / width) ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -240,7 +253,8 @@ imageop_grey2mono(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#iii", &cp, &len, &x, &y, &tres) )
return 0;
- if ( x*y != len ) {
+ if ( ( x*y != len ) ||
+ ( x != len / y ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -281,7 +295,8 @@ imageop_grey2grey4(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
return 0;
- if ( x*y != len ) {
+ if ( ( x*y != len ) ||
+ ( x != len / y ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -320,7 +335,8 @@ imageop_grey2grey2(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
return 0;
- if ( x*y != len ) {
+ if ( ( x*y != len ) ||
+ ( x != len / y ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -358,7 +374,8 @@ imageop_dither2mono(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
return 0;
- if ( x*y != len ) {
+ if ( ( x*y != len ) ||
+ ( x != len / y ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -404,7 +421,8 @@ imageop_dither2grey2(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
return 0;
- if ( x*y != len ) {
+ if ( ( x*y != len ) ||
+ ( x != len / y ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -443,7 +461,11 @@ imageop_mono2grey(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#iiii", &cp, &len, &x, &y, &v0, &v1) )
return 0;
- nlen = x*y;
+ nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( (nlen+7)/8 != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -481,6 +503,10 @@ imageop_grey22grey(PyObject *self, PyObject *args)
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( (nlen+3)/4 != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -517,6 +543,10 @@ imageop_grey42grey(PyObject *self, PyObject *args)
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( (nlen+1)/2 != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -554,6 +584,10 @@ imageop_rgb2rgb8(PyObject *self, PyObject *args)
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( nlen*4 != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -598,10 +632,19 @@ imageop_rgb82rgb(PyObject *self, PyObject *args)
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( nlen != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
+
+ if ( nlen / x != y || nlen > INT_MAX / 4) {
+ PyErr_SetString(ImageopError, "Image is too large");
+ return 0;
+ }
rv = PyString_FromStringAndSize(NULL, nlen*4);
if ( rv == 0 )
@@ -648,6 +691,10 @@ imageop_rgb2grey(PyObject *self, PyObject *args)
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( nlen*4 != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -693,8 +740,17 @@ imageop_grey2rgb(PyObject *self, PyObject *args)
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( nlen != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
+
+ if ( nlen / x != y || nlen > INT_MAX / 4) {
+ PyErr_SetString(ImageopError, "Image is too large");
return 0;
}

12
lang/python/2.5/patches/patch-Modules_mmapmodule_c Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-Modules_mmapmodule_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/mmapmodule.c.orig Tue Aug 22 23:57:07 2006
+++ Modules/mmapmodule.c Tue Aug 5 18:18:52 2008
@@ -223,7 +223,7 @@ mmap_read_method(mmap_object *self,
return(NULL);
/* silently 'adjust' out-of-range requests */
- if ((self->pos + num_bytes) > self->size) {
+ if (num_bytes > self->size - self->pos) {
num_bytes -= (self->pos+num_bytes) - self->size;
}
result = Py_BuildValue("s#", self->data+self->pos, num_bytes);

15
lang/python/2.5/patches/patch-Modules_rgbimgmodule_c Normal file
View File

@ -0,0 +1,15 @@
$OpenBSD: patch-Modules_rgbimgmodule_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/rgbimgmodule.c.orig Thu Feb 14 22:26:18 2008
+++ Modules/rgbimgmodule.c Tue Aug 5 18:18:52 2008
@@ -299,6 +299,11 @@ longimagedata(PyObject *self, PyObject *args)
xsize = image.xsize;
ysize = image.ysize;
zsize = image.zsize;
+ tablen = xsize * ysize * zsize * sizeof(Py_Int32);
+ if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
+ PyErr_NoMemory();
+ goto finally;
+ }
if (rle) {
tablen = ysize * zsize * sizeof(Py_Int32);
rlebuflen = (int) (1.05 * xsize +10);

17
lang/python/2.5/patches/patch-Modules_selectmodule_c Normal file
View File

@ -0,0 +1,17 @@
$OpenBSD: patch-Modules_selectmodule_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/selectmodule.c.orig Mon Jul 10 11:18:57 2006
+++ Modules/selectmodule.c Tue Aug 5 18:18:52 2008
@@ -349,10 +349,12 @@ update_ufd_array(pollObject *self)
{
Py_ssize_t i, pos;
PyObject *key, *value;
+ struct pollfd *old_ufds = self->ufds;
self->ufd_len = PyDict_Size(self->dict);
- PyMem_Resize(self->ufds, struct pollfd, self->ufd_len);
+ PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len);
if (self->ufds == NULL) {
+ self->ufds = old_ufds;
PyErr_NoMemory();
return 0;
}

32
lang/python/2.5/patches/patch-Modules_stropmodule_c Normal file
View File

@ -0,0 +1,32 @@
$OpenBSD: patch-Modules_stropmodule_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/stropmodule.c.orig Thu Feb 14 22:26:18 2008
+++ Modules/stropmodule.c Tue Aug 5 18:18:52 2008
@@ -216,6 +216,13 @@ strop_joinfields(PyObject *self, PyObject *args)
return NULL;
}
slen = PyString_GET_SIZE(item);
+ if (slen > PY_SSIZE_T_MAX - reslen ||
+ seplen > PY_SSIZE_T_MAX - reslen - seplen) {
+ PyErr_SetString(PyExc_OverflowError,
+ "input too long");
+ Py_DECREF(res);
+ return NULL;
+ }
while (reslen + slen + seplen >= sz) {
if (_PyString_Resize(&res, sz * 2) < 0)
return NULL;
@@ -253,6 +260,14 @@ strop_joinfields(PyObject *self, PyObject *args)
return NULL;
}
slen = PyString_GET_SIZE(item);
+ if (slen > PY_SSIZE_T_MAX - reslen ||
+ seplen > PY_SSIZE_T_MAX - reslen - seplen) {
+ PyErr_SetString(PyExc_OverflowError,
+ "input too long");
+ Py_DECREF(res);
+ Py_XDECREF(item);
+ return NULL;
+ }
while (reslen + slen + seplen >= sz) {
if (_PyString_Resize(&res, sz * 2) < 0) {
Py_DECREF(item);

14
lang/python/2.5/patches/patch-Modules_zlibmodule_c Normal file
View File

@ -0,0 +1,14 @@
$OpenBSD: patch-Modules_zlibmodule_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Modules/zlibmodule.c.orig Wed Nov 21 11:44:57 2007
+++ Modules/zlibmodule.c Tue Aug 5 18:18:52 2008
@@ -774,6 +774,10 @@ PyZlib_unflush(compobject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "|i:flush", &length))
return NULL;
+ if (length <= 0) {
+ PyErr_SetString(PyExc_ValueError, "length must be greater than zero");
+ return NULL;
+ }
if (!(retval = PyString_FromStringAndSize(NULL, length)))
return NULL;

14
lang/python/2.5/patches/patch-Objects_bufferobject_c Normal file
View File

@ -0,0 +1,14 @@
$OpenBSD: patch-Objects_bufferobject_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Objects/bufferobject.c.orig Thu Feb 14 22:26:18 2008
+++ Objects/bufferobject.c Tue Aug 5 18:18:52 2008
@@ -427,6 +427,10 @@ buffer_repeat(PyBufferObject *self, Py_ssize_t count)
count = 0;
if (!get_buf(self, &ptr, &size, ANY_BUFFER))
return NULL;
+ if (count > PY_SSIZE_T_MAX / size) {
+ PyErr_SetString(PyExc_MemoryError, "result too large");
+ return NULL;
+ }
ob = PyString_FromStringAndSize(NULL, size * count);
if ( ob == NULL )
return NULL;

12
lang/python/2.5/patches/patch-Objects_longobject_c Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-Objects_longobject_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Objects/longobject.c.orig Tue May 8 04:30:48 2007
+++ Objects/longobject.c Tue Aug 5 18:18:52 2008
@@ -70,6 +70,8 @@ _PyLong_New(Py_ssize_t size)
PyErr_NoMemory();
return NULL;
}
+ /* XXX(nnorwitz): This can overflow --
+ PyObject_NEW_VAR / _PyObject_VAR_SIZE need to detect overflow */
return PyObject_NEW_VAR(PyLongObject, &PyLong_Type, size);
}

35
lang/python/2.5/patches/patch-Objects_obmalloc_c Normal file
View File

@ -0,0 +1,35 @@
$OpenBSD: patch-Objects_obmalloc_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Objects/obmalloc.c.orig Thu Feb 14 22:26:18 2008
+++ Objects/obmalloc.c Tue Aug 5 18:18:52 2008
@@ -727,6 +727,15 @@ PyObject_Malloc(size_t nbytes)
uint size;
/*
+ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > PY_SSIZE_T_MAX)
+ return NULL;
+
+ /*
* This implicitly redirects malloc(0).
*/
if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
@@ -1129,6 +1138,15 @@ PyObject_Realloc(void *p, size_t nbytes)
if (p == NULL)
return PyObject_Malloc(nbytes);
+
+ /*
+ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > PY_SSIZE_T_MAX)
+ return NULL;
pool = POOL_ADDR(p);
if (Py_ADDRESS_IN_RANGE(p, pool)) {

62
lang/python/2.5/patches/patch-Objects_stringobject_c Normal file
View File

@ -0,0 +1,62 @@
$OpenBSD: patch-Objects_stringobject_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Objects/stringobject.c.orig Wed Nov 7 12:19:49 2007
+++ Objects/stringobject.c Tue Aug 5 18:18:52 2008
@@ -54,6 +54,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t
{
register PyStringObject *op;
assert(size >= 0);
+ if (size < 0) {
+ PyErr_SetString(PyExc_SystemError,
+ "Negative size passed to PyString_FromStringAndSize");
+ return NULL;
+ }
if (size == 0 && (op = nullstring) != NULL) {
#ifdef COUNT_ALLOCS
null_strings++;
@@ -71,6 +76,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t
return (PyObject *)op;
}
+ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+ PyErr_SetString(PyExc_OverflowError, "string is too large");
+ return NULL;
+ }
+
/* Inline PyObject_NewVar */
op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
if (op == NULL)
@@ -106,7 +116,7 @@ PyString_FromString(const char *str)
assert(str != NULL);
size = strlen(str);
- if (size > PY_SSIZE_T_MAX) {
+ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
PyErr_SetString(PyExc_OverflowError,
"string is too long for a Python string");
return NULL;
@@ -967,14 +977,24 @@ string_concat(register PyStringObject *a, register PyO
Py_INCREF(a);
return (PyObject *)a;
}
+ /* Check that string sizes are not negative, to prevent an
+ overflow in cases where we are passed incorrectly-created
+ strings with negative lengths (due to a bug in other code).
+ */
size = a->ob_size + b->ob_size;
- if (size < 0) {
+ if (a->ob_size < 0 || b->ob_size < 0 ||
+ a->ob_size > PY_SSIZE_T_MAX - b->ob_size) {
PyErr_SetString(PyExc_OverflowError,
"strings are too large to concat");
return NULL;
}
/* Inline PyObject_NewVar */
+ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+ PyErr_SetString(PyExc_OverflowError,
+ "strings are too large to concat");
+ return NULL;
+ }
op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
if (op == NULL)
return PyErr_NoMemory();

18
lang/python/2.5/patches/patch-Objects_tupleobject_c Normal file
View File

@ -0,0 +1,18 @@
$OpenBSD: patch-Objects_tupleobject_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Objects/tupleobject.c.orig Sun Aug 13 03:03:09 2006
+++ Objects/tupleobject.c Tue Aug 5 18:18:52 2008
@@ -60,11 +60,12 @@ PyTuple_New(register Py_ssize_t size)
Py_ssize_t nbytes = size * sizeof(PyObject *);
/* Check for overflow */
if (nbytes / sizeof(PyObject *) != (size_t)size ||
- (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
- <= 0)
+ (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) - sizeof(PyObject *)))
{
return PyErr_NoMemory();
}
+ nbytes += sizeof(PyTupleObject) - sizeof(PyObject *);
+
op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
if (op == NULL)
return NULL;

125
lang/python/2.5/patches/patch-Objects_unicodeobject_c Normal file
View File

@ -0,0 +1,125 @@
$OpenBSD: patch-Objects_unicodeobject_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Objects/unicodeobject.c.orig Sat Nov 3 09:46:38 2007
+++ Objects/unicodeobject.c Tue Aug 5 18:18:52 2008
@@ -239,6 +239,11 @@ PyUnicodeObject *_PyUnicode_New(Py_ssize_t length)
return unicode_empty;
}
+ /* Ensure we won't overflow the size. */
+ if (length > ((PY_SSIZE_T_MAX / sizeof(Py_UNICODE)) - 1)) {
+ return (PyUnicodeObject *)PyErr_NoMemory();
+ }
+
/* Unicode freelist & memory allocation */
if (unicode_freelist) {
unicode = unicode_freelist;
@@ -970,7 +975,7 @@ PyObject *PyUnicode_DecodeUTF7(const char *s,
while (s < e) {
Py_UNICODE ch;
restart:
- ch = *s;
+ ch = (unsigned char) *s;
if (inShift) {
if ((ch == '-') || !B64CHAR(ch)) {
@@ -1091,6 +1096,9 @@ PyObject *PyUnicode_EncodeUTF7(const Py_UNICODE *s,
char * out;
char * start;
+ if (cbAllocated / 5 != size)
+ return PyErr_NoMemory();
+
if (size == 0)
return PyString_FromStringAndSize(NULL, 0);
@@ -1689,8 +1697,9 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *s,
{
PyObject *v;
unsigned char *p;
+ Py_ssize_t nsize, bytesize;
#ifdef Py_UNICODE_WIDE
- int i, pairs;
+ Py_ssize_t i, pairs;
#else
const int pairs = 0;
#endif
@@ -1713,8 +1722,15 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *s,
if (s[i] >= 0x10000)
pairs++;
#endif
- v = PyString_FromStringAndSize(NULL,
- 2 * (size + pairs + (byteorder == 0)));
+ /* 2 * (size + pairs + (byteorder == 0)) */
+ if (size > PY_SSIZE_T_MAX ||
+ size > PY_SSIZE_T_MAX - pairs - (byteorder == 0))
+ return PyErr_NoMemory();
+ nsize = (size + pairs + (byteorder == 0));
+ bytesize = nsize * 2;
+ if (bytesize / 2 != nsize)
+ return PyErr_NoMemory();
+ v = PyString_FromStringAndSize(NULL, bytesize);
if (v == NULL)
return NULL;
@@ -2042,6 +2058,11 @@ PyObject *unicodeescape_string(const Py_UNICODE *s,
char *p;
static const char *hexdigit = "0123456789abcdef";
+#ifdef Py_UNICODE_WIDE
+ const Py_ssize_t expandsize = 10;
+#else
+ const Py_ssize_t expandsize = 6;
+#endif
/* Initial allocation is based on the longest-possible unichr
escape.
@@ -2057,13 +2078,12 @@ PyObject *unicodeescape_string(const Py_UNICODE *s,
escape.
*/
+ if (size > (PY_SSIZE_T_MAX - 2 - 1) / expandsize)
+ return PyErr_NoMemory();
+
repr = PyString_FromStringAndSize(NULL,
2
-#ifdef Py_UNICODE_WIDE
- + 10*size
-#else
- + 6*size
-#endif
+ + expandsize*size
+ 1);
if (repr == NULL)
return NULL;
@@ -2304,12 +2324,16 @@ PyObject *PyUnicode_EncodeRawUnicodeEscape(const Py_UN
char *q;
static const char *hexdigit = "0123456789abcdef";
-
#ifdef Py_UNICODE_WIDE
- repr = PyString_FromStringAndSize(NULL, 10 * size);
+ const Py_ssize_t expandsize = 10;
#else
- repr = PyString_FromStringAndSize(NULL, 6 * size);
+ const Py_ssize_t expandsize = 6;
#endif
+
+ if (size > PY_SSIZE_T_MAX / expandsize)
+ return PyErr_NoMemory();
+
+ repr = PyString_FromStringAndSize(NULL, expandsize * size);
if (repr == NULL)
return NULL;
if (size == 0)
@@ -4719,6 +4743,11 @@ PyUnicodeObject *pad(PyUnicodeObject *self,
return self;
}
+ if (left > PY_SSIZE_T_MAX - self->length ||
+ right > PY_SSIZE_T_MAX - (left + self->length)) {
+ PyErr_SetString(PyExc_OverflowError, "padded string is too long");
+ return NULL;
+ }
u = _PyUnicode_New(left + self->length + right);
if (u) {
if (left)

56
lang/python/2.5/patches/patch-Python_mysnprintf_c Normal file
View File

@ -0,0 +1,56 @@
$OpenBSD: patch-Python_mysnprintf_c,v 1.1 2008/08/06 03:23:31 djm Exp $
--- Python/mysnprintf.c.orig Sat Dec 22 03:32:15 2001
+++ Python/mysnprintf.c Tue Aug 5 18:18:52 2008
@@ -54,18 +54,28 @@ int
PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va)
{
int len; /* # bytes written, excluding \0 */
-#ifndef HAVE_SNPRINTF
+#ifdef HAVE_SNPRINTF
+#define _PyOS_vsnprintf_EXTRA_SPACE 1
+#else
+#define _PyOS_vsnprintf_EXTRA_SPACE 512
char *buffer;
#endif
assert(str != NULL);
assert(size > 0);
assert(format != NULL);
+ /* We take a size_t as input but return an int. Sanity check
+ * our input so that it won't cause an overflow in the
+ * vsnprintf return value or the buffer malloc size. */
+ if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) {
+ len = -666;
+ goto Done;
+ }
#ifdef HAVE_SNPRINTF
len = vsnprintf(str, size, format, va);
#else
/* Emulate it. */
- buffer = PyMem_MALLOC(size + 512);
+ buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE);
if (buffer == NULL) {
len = -666;
goto Done;
@@ -75,7 +85,7 @@ PyOS_vsnprintf(char *str, size_t size, const char *fo
if (len < 0)
/* ignore the error */;
- else if ((size_t)len >= size + 512)
+ else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE)
Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf");
else {
@@ -86,8 +96,10 @@ PyOS_vsnprintf(char *str, size_t size, const char *fo
str[to_copy] = '\0';
}
PyMem_FREE(buffer);
-Done:
#endif
- str[size-1] = '\0';
+Done:
+ if (size > 0)
+ str[size-1] = '\0';
return len;
+#undef _PyOS_vsnprintf_EXTRA_SPACE
}