New submission from Insu Yun: in zipimport.c 1116 bytes_size = compress == 0 ? data_size : data_size + 1; 1117 if (bytes_size == 0) 1118 bytes_size++; 1119 raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);
If compress != 0, then bytes_size = data_size + 1 data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0. In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap. ---------- files: crash.py messages: 258733 nosy: Insu Yun priority: normal severity: normal status: open title: heap overflow in zipimporter module type: security versions: Python 3.6 Added file: http://bugs.python.org/file41677/crash.py _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26171> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
