Ana Sayfa Keşfet Yardım
Giriş Yap
crispAudio
/
poky
şunun yansıması git://git.yoctoproject.org/poky
5
0
Çatalla 0
Dosyalar Sorunlar 0 Wiki
Ağaç: 26ab554fd5
Dallar Biçim İmleri
poky
/
meta
/
recipes-devtools
/
python
/
python3
/
CVE-2018-20406.patch

CVE-2018-20406.patch 7.2 KB
Geçmiş Ham

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217 
  1. From 3c7fd2b2729e3ebcf7877e7a32b3bbabf907a38d Mon Sep 17 00:00:00 2001
    2. 

  2. From: Victor Stinner <vstinner@redhat.com>
    3. 

  3. Date: Tue, 26 Feb 2019 01:42:39 +0100
    4. 

  4. Subject: [PATCH] closes bpo-34656: Avoid relying on signed overflow in _pickle
    5. 

  5.  memos. (GH-9261) (#11869)
    6. 

  6. 

  7. (cherry picked from commit a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd)
    8. 

  8. 

  9. CVE: CVE-2018-20406
    10. 

  10. Upstream-Status: Backport
    11. 

  11. [https://github.com/python/cpython/commit/ef33dd6036aafbd3f06c1d56e2b1a81dae3da63c]
    12. 

  12. 

  13. Signed-off-by: Dan Tran <dantran@microsoft.com>
    14. 

  14. ---
    15. 

  15.  Modules/_pickle.c | 63 ++++++++++++++++++++++++-----------------------
    16. 

  16.  1 file changed, 32 insertions(+), 31 deletions(-)
    17. 

  17. 

  18. diff --git a/Modules/_pickle.c b/Modules/_pickle.c
    19. 

  19. index 0f62b1c019..fcb9e87899 100644
    20. 

  20. --- a/Modules/_pickle.c
    21. 

  21. +++ b/Modules/_pickle.c
    22. 

  22. @@ -527,9 +527,9 @@ typedef struct {
    23. 

  23.  } PyMemoEntry;
    24. 

  24.  
    25. 

  25.  typedef struct {
    26. 

  26. -    Py_ssize_t mt_mask;
    27. 

  27. -    Py_ssize_t mt_used;
    28. 

  28. -    Py_ssize_t mt_allocated;
    29. 

  29. +    size_t mt_mask;
    30. 

  30. +    size_t mt_used;
    31. 

  31. +    size_t mt_allocated;
    32. 

  32.      PyMemoEntry *mt_table;
    33. 

  33.  } PyMemoTable;
    34. 

  34.  
    35. 

  35. @@ -573,8 +573,8 @@ typedef struct UnpicklerObject {
    36. 

  36.      /* The unpickler memo is just an array of PyObject *s. Using a dict
    37. 

  37.         is unnecessary, since the keys are contiguous ints. */
    38. 

  38.      PyObject **memo;
    39. 

  39. -    Py_ssize_t memo_size;       /* Capacity of the memo array */
    40. 

  40. -    Py_ssize_t memo_len;        /* Number of objects in the memo */
    41. 

  41. +    size_t memo_size;       /* Capacity of the memo array */
    42. 

  42. +    size_t memo_len;        /* Number of objects in the memo */
    43. 

  43.  
    44. 

  44.      PyObject *pers_func;        /* persistent_load() method, can be NULL. */
    45. 

  45.  
    46. 

  46. @@ -658,7 +658,6 @@ PyMemoTable_New(void)
    47. 

  47.  static PyMemoTable *
    48. 

  48.  PyMemoTable_Copy(PyMemoTable *self)
    49. 

  49.  {
    50. 

  50. -    Py_ssize_t i;
    51. 

  51.      PyMemoTable *new = PyMemoTable_New();
    52. 

  52.      if (new == NULL)
    53. 

  53.          return NULL;
    54. 

  54. @@ -675,7 +674,7 @@ PyMemoTable_Copy(PyMemoTable *self)
    55. 

  55.          PyErr_NoMemory();
    56. 

  56.          return NULL;
    57. 

  57.      }
    58. 

  58. -    for (i = 0; i < self->mt_allocated; i++) {
    59. 

  59. +    for (size_t i = 0; i < self->mt_allocated; i++) {
    60. 

  60.          Py_XINCREF(self->mt_table[i].me_key);
    61. 

  61.      }
    62. 

  62.      memcpy(new->mt_table, self->mt_table,
    63. 

  63. @@ -721,7 +720,7 @@ _PyMemoTable_Lookup(PyMemoTable *self, PyObject *key)
    64. 

  64.  {
    65. 

  65.      size_t i;
    66. 

  66.      size_t perturb;
    67. 

  67. -    size_t mask = (size_t)self->mt_mask;
    68. 

  68. +    size_t mask = self->mt_mask;
    69. 

  69.      PyMemoEntry *table = self->mt_table;
    70. 

  70.      PyMemoEntry *entry;
    71. 

  71.      Py_hash_t hash = (Py_hash_t)key >> 3;
    72. 

  72. @@ -743,22 +742,24 @@ _PyMemoTable_Lookup(PyMemoTable *self, PyObject *key)
    73. 

  73.  
    74. 

  74.  /* Returns -1 on failure, 0 on success. */
    75. 

  75.  static int
    76. 

  76. -_PyMemoTable_ResizeTable(PyMemoTable *self, Py_ssize_t min_size)
    77. 

  77. +_PyMemoTable_ResizeTable(PyMemoTable *self, size_t min_size)
    78. 

  78.  {
    79. 

  79.      PyMemoEntry *oldtable = NULL;
    80. 

  80.      PyMemoEntry *oldentry, *newentry;
    81. 

  81. -    Py_ssize_t new_size = MT_MINSIZE;
    82. 

  82. -    Py_ssize_t to_process;
    83. 

  83. +    size_t new_size = MT_MINSIZE;
    84. 

  84. +    size_t to_process;
    85. 

  85.  
    86. 

  86.      assert(min_size > 0);
    87. 

  87.  
    88. 

  88. -    /* Find the smallest valid table size >= min_size. */
    89. 

  89. -    while (new_size < min_size && new_size > 0)
    90. 

  90. -        new_size <<= 1;
    91. 

  91. -    if (new_size <= 0) {
    92. 

  92. +    if (min_size > PY_SSIZE_T_MAX) {
    93. 

  93.          PyErr_NoMemory();
    94. 

  94.          return -1;
    95. 

  95.      }
    96. 

  96. +
    97. 

  97. +    /* Find the smallest valid table size >= min_size. */
    98. 

  98. +    while (new_size < min_size) {
    99. 

  99. +        new_size <<= 1;
    100. 

  100. +    }
    101. 

  101.      /* new_size needs to be a power of two. */
    102. 

  102.      assert((new_size & (new_size - 1)) == 0);
    103. 

  103.  
    104. 

  104. @@ -808,6 +809,7 @@ static int
    105. 

  105.  PyMemoTable_Set(PyMemoTable *self, PyObject *key, Py_ssize_t value)
    106. 

  106.  {
    107. 

  107.      PyMemoEntry *entry;
    108. 

  108. +    size_t desired_size;
    109. 

  109.  
    110. 

  110.      assert(key != NULL);
    111. 

  111.  
    112. 

  112. @@ -831,10 +833,12 @@ PyMemoTable_Set(PyMemoTable *self, PyObject *key, Py_ssize_t value)
    113. 

  113.       * Very large memo tables (over 50K items) use doubling instead.
    114. 

  114.       * This may help applications with severe memory constraints.
    115. 

  115.       */
    116. 

  116. -    if (!(self->mt_used * 3 >= (self->mt_mask + 1) * 2))
    117. 

  117. +    if (SIZE_MAX / 3 >= self->mt_used && self->mt_used * 3 < self->mt_allocated * 2) {
    118. 

  118.          return 0;
    119. 

  119. -    return _PyMemoTable_ResizeTable(self,
    120. 

  120. -        (self->mt_used > 50000 ? 2 : 4) * self->mt_used);
    121. 

  121. +    }
    122. 

  122. +    // self->mt_used is always < PY_SSIZE_T_MAX, so this can't overflow.
    123. 

  123. +    desired_size = (self->mt_used > 50000 ? 2 : 4) * self->mt_used;
    124. 

  124. +    return _PyMemoTable_ResizeTable(self, desired_size);
    125. 

  125.  }
    126. 

  126.  
    127. 

  127.  #undef MT_MINSIZE
    128. 

  128. @@ -1273,9 +1277,9 @@ _Unpickler_Readline(UnpicklerObject *self, char **result)
    129. 

  129.  /* Returns -1 (with an exception set) on failure, 0 on success. The memo array
    130. 

  130.     will be modified in place. */
    131. 

  131.  static int
    132. 

  132. -_Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size)
    133. 

  133. +_Unpickler_ResizeMemoList(UnpicklerObject *self, size_t new_size)
    134. 

  134.  {
    135. 

  135. -    Py_ssize_t i;
    136. 

  136. +    size_t i;
    137. 

  137.  
    138. 

  138.      assert(new_size > self->memo_size);
    139. 

  139.  
    140. 

  140. @@ -1292,9 +1296,9 @@ _Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size)
    141. 

  141.  
    142. 

  142.  /* Returns NULL if idx is out of bounds. */
    143. 

  143.  static PyObject *
    144. 

  144. -_Unpickler_MemoGet(UnpicklerObject *self, Py_ssize_t idx)
    145. 

  145. +_Unpickler_MemoGet(UnpicklerObject *self, size_t idx)
    146. 

  146.  {
    147. 

  147. -    if (idx < 0 || idx >= self->memo_size)
    148. 

  148. +    if (idx >= self->memo_size)
    149. 

  149.          return NULL;
    150. 

  150.  
    151. 

  151.      return self->memo[idx];
    152. 

  152. @@ -1303,7 +1307,7 @@ _Unpickler_MemoGet(UnpicklerObject *self, Py_ssize_t idx)
    153. 

  153.  /* Returns -1 (with an exception set) on failure, 0 on success.
    154. 

  154.     This takes its own reference to `value`. */
    155. 

  155.  static int
    156. 

  156. -_Unpickler_MemoPut(UnpicklerObject *self, Py_ssize_t idx, PyObject *value)
    157. 

  157. +_Unpickler_MemoPut(UnpicklerObject *self, size_t idx, PyObject *value)
    158. 

  158.  {
    159. 

  159.      PyObject *old_item;
    160. 

  160.  
    161. 

  161. @@ -4194,14 +4198,13 @@ static PyObject *
    162. 

  162.  _pickle_PicklerMemoProxy_copy_impl(PicklerMemoProxyObject *self)
    163. 

  163.  /*[clinic end generated code: output=bb83a919d29225ef input=b73043485ac30b36]*/
    164. 

  164.  {
    165. 

  165. -    Py_ssize_t i;
    166. 

  166.      PyMemoTable *memo;
    167. 

  167.      PyObject *new_memo = PyDict_New();
    168. 

  168.      if (new_memo == NULL)
    169. 

  169.          return NULL;
    170. 

  170.  
    171. 

  171.      memo = self->pickler->memo;
    172. 

  172. -    for (i = 0; i < memo->mt_allocated; ++i) {
    173. 

  173. +    for (size_t i = 0; i < memo->mt_allocated; ++i) {
    174. 

  174.          PyMemoEntry entry = memo->mt_table[i];
    175. 

  175.          if (entry.me_key != NULL) {
    176. 

  176.              int status;
    177. 

  177. @@ -6620,7 +6623,7 @@ static PyObject *
    178. 

  178.  _pickle_UnpicklerMemoProxy_copy_impl(UnpicklerMemoProxyObject *self)
    179. 

  179.  /*[clinic end generated code: output=e12af7e9bc1e4c77 input=97769247ce032c1d]*/
    180. 

  180.  {
    181. 

  181. -    Py_ssize_t i;
    182. 

  182. +    size_t i;
    183. 

  183.      PyObject *new_memo = PyDict_New();
    184. 

  184.      if (new_memo == NULL)
    185. 

  185.          return NULL;
    186. 

  186. @@ -6771,8 +6774,7 @@ static int
    187. 

  187.  Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
    188. 

  188.  {
    189. 

  189.      PyObject **new_memo;
    190. 

  190. -    Py_ssize_t new_memo_size = 0;
    191. 

  191. -    Py_ssize_t i;
    192. 

  192. +    size_t new_memo_size = 0;
    193. 

  193.  
    194. 

  194.      if (obj == NULL) {
    195. 

  195.          PyErr_SetString(PyExc_TypeError,
    196. 

  196. @@ -6789,7 +6791,7 @@ Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
    197. 

  197.          if (new_memo == NULL)
    198. 

  198.              return -1;
    199. 

  199.  
    200. 

  200. -        for (i = 0; i < new_memo_size; i++) {
    201. 

  201. +        for (size_t i = 0; i < new_memo_size; i++) {
    202. 

  202.              Py_XINCREF(unpickler->memo[i]);
    203. 

  203.              new_memo[i] = unpickler->memo[i];
    204. 

  204.          }
    205. 

  205. @@ -6837,8 +6839,7 @@ Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
    206. 

  206.  
    207. 

  207.    error:
    208. 

  208.      if (new_memo_size) {
    209. 

  209. -        i = new_memo_size;
    210. 

  210. -        while (--i >= 0) {
    211. 

  211. +        for (size_t i = new_memo_size - 1; i != SIZE_MAX; i--) {
    212. 

  212.              Py_XDECREF(new_memo[i]);
    213. 

  213.          }
    214. 

  214.          PyMem_FREE(new_memo);
    215. 

  215. -- 
    216. 

  216. 2.22.0.vfs.1.1.57.gbaf16c8
    217. 

  217.