[issue24708] strop.replace Integer Overflow

Roundup Robot added the comment: New changeset 7b5513e5afd2 by Benjamin Peterson in branch '2.7': proper overflow checks for mymemreplace (closes #24708) https://hg.python.org/cpython/rev/7b5513e5afd2 -- nosy: +python-dev resolution: -> fixed stage: patch review -> resolved status: open

[issue24708] strop.replace Integer Overflow

Serhiy Storchaka added the comment: Here is modified patch. In new code we try to avoid integer wrap around. It is safer to raise MemoryError right after PyMem_MALLOC(), otherwise it would possible to reraise unrelated exception instead MemoryError if strop.replace() is called without clearing

[issue24708] strop.replace Integer Overflow

John Leitch added the comment: Oops. Here's a corrected patch. -- Added file: http://bugs.python.org/file40009/strop.replace_Integer_Overflow.patch ___ Python tracker ___ __

[issue24708] strop.replace Integer Overflow

Changes by John Leitch : Removed file: http://bugs.python.org/file40006/strop.replace_Integer_Overflow.patch ___ Python tracker ___ ___ Pytho

[issue24708] strop.replace Integer Overflow

Serhiy Storchaka added the comment: The patch looks truncated at 120th column. -- assignee: -> serhiy.storchaka components: +Extension Modules nosy: +serhiy.storchaka stage: -> patch review type: security -> crash ___ Python tracker

[issue24708] strop.replace Integer Overflow

New submission from John Leitch: The Python strop.replace() method suffers from an integer overflow that can be exploited to write outside the bounds of the string buffer and potentially achieve code execution. The issue can be triggered by performing a large substitution that overflows the ar

[issue24708] strop.replace Integer Overflow

John Leitch added the comment: Attaching repro. -- Added file: http://bugs.python.org/file40007/strop.replace_Integer_Overflow.py ___ Python tracker ___ _