[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Leo kirotawa silva added the comment: I re-did the build here for python3.4 and couldn't reach the same test fail. So I'm assuming it was a false alarm. Said that, I believe the same patch that applies to py2.7 also applies to 3.4 and 3.5. I've build them using the patch and did some regressi

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Leo kirotawa silva added the comment: Python 3.4 also has the similar code as 3.5, but applying the same patch tests for it results in test errors: +==

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Larry Hastings added the comment: I would welcome a backport of this for 3.5 and even 3.4 (if it's vulnerable, which it probably is). -- ___ Python tracker ___ ___

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Serhiy Storchaka added the comment: Right, but it is not easy to exploit this bug. You need to parse Python sources longer than 512 MiB in 32-bit Python. Python 3.5 currently takes only fixes for security bugs. I left on to Larry to decide whether it is worth to port the fix to 3.5.

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Leo kirotawa silva added the comment: I couldn't reproduce using the poc, but seems python3.5 is also vulnerable to this bug. The code from py3.5 are quite similar to 2.7. In py3.5: Objects/bytesobject.c PyBytes_DecodeEscape -- nosy: +Leo kirotawa silva __

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Changes by Serhiy Storchaka : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ _

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Serhiy Storchaka added the comment: New changeset c3c9db89273fabc62ea1b48389d9a3000c1c03ae by Serhiy Storchaka (Jay Bosamiya) in branch '2.7': [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174) https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Changes by Serhiy Storchaka : -- assignee: -> serhiy.storchaka stage: needs patch -> patch review ___ Python tracker ___ ___ Python-b

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Jay Bosamiya added the comment: I've made a patch that should fix the vulnerability. Please do let me know if changes are required. Thanks a lot :) PS: For anyone who looks at this later on, in my original message describing the issue, the line `*p++ = *s++;` should be marked as (4) instead to

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Changes by Jay Bosamiya : -- pull_requests: +2226 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Serhiy Storchaka added the comment: Thank you for your report Jay. Even if it very unlikely that this can occurred unintentionally or be used for attack, this still is a bug and should be fixed. Do you want to provide a patch? -- keywords: +easy (C) stage: -> needs patch

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

Changes by STINNER Victor : -- nosy: +serhiy.storchaka ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://

[issue30657] Unsafe arithmetic in PyString_DecodeEscape

New submission from Jay Bosamiya: In Python 2.7, there is a possible integer overflow in PyString_DecodeEscape function of the file stringobject.c, which can be abused to gain a heap overflow, possibly leading to arbitrary code execution. The relevant parts of the code are highlighted below: