Skip to content

[3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (GH-2174)#4664

Merged
larryhastings merged 1 commit intopython:3.5from
hroncok:fix-issue-30657
Dec 8, 2017
Merged

[3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (GH-2174)#4664
larryhastings merged 1 commit intopython:3.5from
hroncok:fix-issue-30657

Conversation

@hroncok
Copy link
Copy Markdown
Contributor

@hroncok hroncok commented Dec 1, 2017
edited
Loading

Fixes possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158.
Original patch by Jay Bosamiya @jaybosamiya in #2174

https://bugs.python.org/issue30657

@bedevere-bot bedevere-bot added the type-bug An unexpected behavior, bug, or error label Dec 1, 2017
@hroncok
Copy link
Copy Markdown
Contributor Author

hroncok commented Dec 1, 2017

@jaybosamiya I can make you the author of that commit if you'd like, but since it's against a different file, I didn't just cherry-picked it, so I wasn't sure.

@hroncok hroncok changed the title [3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174) [3.5] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (GH-2174) Dec 1, 2017
@bedevere-bot bedevere-bot added the type-bug An unexpected behavior, bug, or error label Dec 1, 2017
@jaybosamiya
Copy link
Copy Markdown

jaybosamiya commented Dec 1, 2017

I'm not sure of the convention for cpython when bringing a patch from one version to another, but I'm fine with it either ways. Feel free to keep/change as you see fit :)

@hroncok
Copy link
Copy Markdown
Contributor Author

hroncok commented Dec 1, 2017

OK, let's wait what the reviewer says.

vstinner
vstinner reviewed Dec 4, 2017
View reviewed changes
Copy link
Copy Markdown
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you mind to rewrite your commit message to mention the original author as the following syntax?

Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>

vstinner
vstinner reviewed Dec 4, 2017
View reviewed changes
Copy link
Copy Markdown
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change itself LGTM.

@hroncok @jaybosamiya
bpo-30657: Fix CVE-2017-1000158
4ac2528 
Fixes possible integer overflow in PyBytes_DecodeEscape.

Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>
@hroncok
Copy link
Copy Markdown
Contributor Author

hroncok commented Dec 4, 2017

Commit message changed as requested.

vstinner
vstinner approved these changes Dec 4, 2017
View reviewed changes
Copy link
Copy Markdown
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@vstinner
Copy link
Copy Markdown
Member

vstinner commented Dec 4, 2017

@larryhastings: Would you mind to merge this PR?

@hroncok
Copy link
Copy Markdown
Contributor Author

hroncok commented Dec 8, 2017

For 3.4: #4758

@larryhastings larryhastings merged commit fd8614c into python:3.5 Dec 8, 2017
@hroncok hroncok deleted the fix-issue-30657 branch December 8, 2017 21:41
@hroncok
Copy link
Copy Markdown
Contributor Author

hroncok commented Dec 8, 2017

Thanks @vstinner @larryhastings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vstinner vstinner vstinner approved these changes

Assignees

No one assigned

Labels

type-bug An unexpected behavior, bug, or error

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@hroncok @jaybosamiya @vstinner @larryhastings @the-knights-who-say-ni @bedevere-bot