➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2013-12-04 09:34 bychristian.heimes, last changed2022-04-11 14:57 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| zipimport_header_offset.patch | christian.heimes,2013-12-04 09:34 | review | ||
| zipimport_int_overflow.patch | vstinner,2013-12-08 11:10 | review | ||
| zipimport_int_overflow_2.patch | serhiy.storchaka,2015-11-08 17:45 | review | ||
| zipimport_int_overflow_3.patch | serhiy.storchaka,2016-01-22 11:49 | review | ||
| zipimport_int_overflow_4.patch | serhiy.storchaka,2016-01-23 10:12 | review | ||
| Messages (17) | |||
|---|---|---|---|
| msg205209 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2013-12-04 09:34 | |
MSVC complains about "conversion from 'Py_ssize_t' to 'long', possible loss of data" in zipimport.c. header_offset is a Py_ssize_t but fseek() only takes a long. On 64bit Windows Py_ssize_t is a 64bit data type but long is still a 32bit data type.It's safe to assume that the header will be smaller than 2 GB for the next couple of years. :) | |||
| msg205210 -(view) | Author: STINNER Victor (vstinner)* | Date: 2013-12-04 09:57 | |
read_directory() uses fseek() and ftell() which don't support offset larger than LONG_MAX (2 GB on 32-bit system). I don't know if it's an issue. What happens if the file is longer?"header_offset += arc_offset;" can overflow or not? This instuction looks weird. header_position = ftell(fp); ... header_offset = get_long((unsigned char *)endof_central_dir + 16); arc_offset = header_position - header_offset - header_size; header_offset += arc_offset;If I computed correctly, the final line can be replaced with: arc_offset = header_position - header_offset - header_size; header_offset = header_position - header_size;(It is weird to reuse header_position for two different values, a new variable may be added.)Instead of checking that "header_offset > LONG_MAX", it may be safer to check that: - header_size >= 0 - header_offset >= 0 - header_offset + header_size <= LONG_MAX ---> header_offset <= LONG_MAX - header_size - arc_offset >= 0 ---> header_position >= header_offset + header_size - header_offset > 0 ---> header_position >= header_sizeIf all these values must be positive according to ZIP format, get_long() may be replaced with get_ulong() to simplify these checks. | |||
| msg205211 -(view) | Author: STINNER Victor (vstinner)* | Date: 2013-12-04 10:00 | |
See also zipfile.py which is probably more correct than zipimport.c: zipfile uses for example "L" format for struct.unpack (*unsigned* long) to decode header fields. | |||
| msg205380 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2013-12-06 15:28 | |
Yes, these fields are unsingned. | |||
| msg205504 -(view) | Author: Gregory P. Smith (gregory.p.smith)* | Date: 2013-12-08 02:08 | |
zipimport.c makes no attempt to support zip files larger than 2GiB or zip64 files. | |||
| msg205544 -(view) | Author: STINNER Victor (vstinner)* | Date: 2013-12-08 11:10 | |
Here is a work-in-progress patch.PyMarshal_ReadShortFromFile() and PyMarshal_ReadLongFromFile() are still wrong: new Unsigned version should be added to marshal.c. I don't know if a C cast to unsigned is enough because long can be larger than 32-bit (ex: on Linux 64-bit):#if SIZEOF_LONG > 4 /* Sign extension for 64-bit machines */ x |= -(x & 0x80000000L);#endifI didn't test my patch. Anyone interested to finish the patch? | |||
| msg205597 -(view) | Author: Gregory P. Smith (gregory.p.smith)* | Date: 2013-12-08 19:29 | |
comments added to the patch. | |||
| msg231272 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2014-11-17 08:27 | |
Ping. | |||
| msg254348 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2015-11-08 17:27 | |
Here is revised patch. It addresses Gregory's comments, uses properly integer types and converters for all values, and adds additional checks for integer overflows and ZIP file validity. As a side effect the performance can be increased due to less memory allocations and IO operations. | |||
| msg254351 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2015-11-08 17:45 | |
Sorry, the patch contained parts of the advanced patch that will be submitted in separate issue. | |||
| msg258797 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2016-01-22 11:49 | |
Synchronized with current sources. | |||
| msg258858 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2016-01-23 10:12 | |
Updated patch addresses Victor's comments and adds (mandatory now) parenthesis. Thank you Victor. | |||
| msg258862 -(view) | Author: STINNER Victor (vstinner)* | Date: 2016-01-23 11:54 | |
Serhiy Storchaka added the comment:> Updated patch addresses Victor's comments and adds (mandatory now) parenthesis. Thank you Victor.Do you mean braces {...}?The new patch looks good to me, thanks for taking all my comments in account ;-) | |||
| msg259153 -(view) | Author: Roundup Robot (python-dev) | Date: 2016-01-28 19:33 | |
New changeset687be1cbe587 by Serhiy Storchaka in branch '3.5':Issue#19883: Fixed possible integer overflows in zipimport.https://hg.python.org/cpython/rev/687be1cbe587New changesetf4631dc56ecf by Serhiy Storchaka in branch 'default':Issue#19883: Fixed possible integer overflows in zipimport.https://hg.python.org/cpython/rev/f4631dc56ecfNew changesetcebcd2fd3e1f by Serhiy Storchaka in branch '2.7':Issue#19883: Fixed possible integer overflows in zipimport.https://hg.python.org/cpython/rev/cebcd2fd3e1f | |||
| msg259165 -(view) | Author: Martin Panter (martin.panter)* | Date: 2016-01-28 22:24 | |
This seems to be causing an infinite loop in 2.7, in test_cmd_line_script.CmdLineTest.test_module_in_package_in_zipfile():test_module_in_package_in_zipfile (test.test_cmd_line_script.CmdLineTest) ... ^CTest suite interrupted by signal SIGINT.1 test omitted: test_cmd_line_script[Exit 1][vadmium@localhost cpython]$ sudo strace -p 11412 2>&1 | headProcess 11412 attached - interrupt to quitlseek(3, 1024, SEEK_SET) = 1024lseek(3, 1024, SEEK_SET) = 1024lseek(3, 1024, SEEK_SET) = 1024lseek(3, 1024, SEEK_SET) = 1024lseek(3, 1024, SEEK_SET) = 1024lseek(3, 1024, SEEK_SET) = 1024lseek(3, 1024, SEEK_SET) = 1024lseek(3, 1024, SEEK_SET) = 1024lseek(3, 1024, SEEK_SET) = 1024[vadmium@localhost cpython]$ ls -l /proc/11412/fdtotal 0lr-x------ 1 vadmium users 64 Jan 29 22:23 0 -> pipe:[1249749]l-wx------ 1 vadmium users 64 Jan 29 22:23 1 -> pipe:[1249750]l-wx------ 1 vadmium users 64 Jan 29 22:23 2 -> pipe:[1249750]lr-x------ 1 vadmium users 64 Jan 29 22:23 3 -> /tmp/tmpHMiuOm/test_zip.zip (deleted)[vadmium@localhost cpython]$ kill 11412 | |||
| msg259168 -(view) | Author: Roundup Robot (python-dev) | Date: 2016-01-28 22:38 | |
New changeset82ee3c24bb86 by Serhiy Storchaka in branch '2.7':Fixed an infinite loop in zipimport caused bycebcd2fd3e1f (issue#19883).https://hg.python.org/cpython/rev/82ee3c24bb86 | |||
| msg259169 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2016-01-28 22:39 | |
Thank you Martin. | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:57:54 | admin | set | github: 64082 |
| 2016-01-29 17:14:48 | serhiy.storchaka | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2016-01-28 22:39:08 | serhiy.storchaka | set | messages: +msg259169 |
| 2016-01-28 22:38:13 | python-dev | set | messages: +msg259168 |
| 2016-01-28 22:24:48 | martin.panter | set | nosy: +martin.panter messages: +msg259165 |
| 2016-01-28 19:33:33 | python-dev | set | nosy: +python-dev messages: +msg259153 |
| 2016-01-23 11:54:04 | vstinner | set | messages: +msg258862 |
| 2016-01-23 10:12:50 | serhiy.storchaka | set | files: +zipimport_int_overflow_4.patch assignee:serhiy.storchaka messages: +msg258858 |
| 2016-01-22 11:50:00 | serhiy.storchaka | set | files: +zipimport_int_overflow_3.patch components: + Extension Modules versions: - Python 3.4 keywords: +needs review nosy: +benjamin.peterson messages: +msg258797 |
| 2015-11-08 17:45:44 | serhiy.storchaka | set | files: +zipimport_int_overflow_2.patch messages: +msg254351 |
| 2015-11-08 17:44:20 | serhiy.storchaka | set | files: -zipimport_int_overflow_2.patch |
| 2015-11-08 17:42:55 | serhiy.storchaka | set | files: +zipimport_int_overflow_2.patch |
| 2015-11-08 17:42:22 | serhiy.storchaka | set | files: -zipimport_int_overflow_2.patch |
| 2015-11-08 17:27:52 | serhiy.storchaka | set | files: +zipimport_int_overflow_2.patch messages: +msg254348 |
| 2015-08-05 15:53:39 | eric.snow | set | versions: + Python 3.6 |
| 2015-08-05 15:53:08 | eric.snow | set | nosy: +eric.snow,superluser |
| 2014-11-17 08:27:58 | serhiy.storchaka | set | messages: +msg231272 |
| 2014-08-18 10:00:47 | serhiy.storchaka | set | versions: + Python 2.7, Python 3.5, - Python 3.3 |
| 2013-12-08 19:29:52 | gregory.p.smith | set | messages: +msg205597 |
| 2013-12-08 11:10:28 | vstinner | set | files: +zipimport_int_overflow.patch messages: +msg205544 |
| 2013-12-08 02:08:04 | gregory.p.smith | set | nosy: +gregory.p.smith messages: +msg205504 |
| 2013-12-06 15:28:30 | serhiy.storchaka | set | messages: +msg205380 |
| 2013-12-06 15:18:18 | brett.cannon | set | assignee:brett.cannon -> (no value) |
| 2013-12-04 10:21:05 | serhiy.storchaka | set | nosy: +serhiy.storchaka |
| 2013-12-04 10:00:20 | vstinner | set | messages: +msg205211 |
| 2013-12-04 09:57:49 | vstinner | set | nosy: +vstinner messages: +msg205210 title: overflow in zipexport.c -> Integer overflow in zipimport.c |
| 2013-12-04 09:34:05 | christian.heimes | create | |