On Tue, 5 Aug 2008, Toni Mueller wrote: > > Hi, > > On Tue, 05.08.2008 at 18:36:34 +1000, Damien Miller <[EMAIL PROTECTED]> wrote: > > Ok, here is a patch for lang/python/2.5. > > thank you very much for the effort. Unfortunately, there's some more > stuff which should probably make it (code execution problems included). > I found these just today, assuming that everything up to CVE-2008-2315 > is already covered: > > CVE-2008-3144
Already in my patchset > CVE-2008-3143 This is already fixed in 2.5.2 > CVE-2008-3142 Already in my patchset > CVE-2008-2316 Applied (though only exploitable on amd64) - new diff attached. -d Index: Makefile =================================================================== RCS file: /cvs/ports/lang/python/2.5/Makefile,v retrieving revision 1.23 diff -u -p -r1.23 Makefile --- Makefile 25 Jul 2008 19:32:21 -0000 1.23 +++ Makefile 5 Aug 2008 11:06:58 -0000 @@ -2,7 +2,7 @@ VERSION= 2.5 PATCHLEVEL= .2 -PKG_PATCHLEVEL= p3 +PKG_PATCHLEVEL= p4 SHARED_LIBS= python2.5 1.0 # PSUBDIR= python/${VERSION} Index: patches/patch-Include_pymem_h =================================================================== RCS file: patches/patch-Include_pymem_h diff -N patches/patch-Include_pymem_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Include_pymem_h 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,59 @@ +$OpenBSD$ +--- Include/pymem.h.orig Thu Feb 14 22:26:18 2008 ++++ Include/pymem.h Tue Aug 5 18:18:52 2008 +@@ -67,8 +67,12 @@ PyAPI_FUNC(void) PyMem_Free(void *); + for malloc(0), which would be treated as an error. Some platforms + would return a pointer with no memory behind it, which would break + pymalloc. To solve these problems, allocate an extra byte. */ +-#define PyMem_MALLOC(n) malloc((n) ? (n) : 1) +-#define PyMem_REALLOC(p, n) realloc((p), (n) ? (n) : 1) ++/* Returns NULL to indicate error if a negative size or size larger than ++ Py_ssize_t can represent is supplied. Helps prevents security holes. */ ++#define PyMem_MALLOC(n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \ ++ : malloc((n) ? (n) : 1)) ++#define PyMem_REALLOC(p, n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \ ++ : realloc((p), (n) ? (n) : 1)) + #define PyMem_FREE free + + #endif /* PYMALLOC_DEBUG */ +@@ -77,24 +81,31 @@ PyAPI_FUNC(void) PyMem_Free(void *); + * Type-oriented memory interface + * ============================== + * +- * These are carried along for historical reasons. There's rarely a good +- * reason to use them anymore (you can just as easily do the multiply and +- * cast yourself). ++ * Allocate memory for n objects of the given type. Returns a new pointer ++ * or NULL if the request was too large or memory allocation failed. Use ++ * these macros rather than doing the multiplication yourself so that proper ++ * overflow checking is always done. + */ + + #define PyMem_New(type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ ++ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ + ( (type *) PyMem_Malloc((n) * sizeof(type)) ) ) + #define PyMem_NEW(type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ ++ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ + ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) ) + ++/* ++ * The value of (p) is always clobbered by this macro regardless of success. ++ * The caller MUST check if (p) is NULL afterwards and deal with the memory ++ * error if so. This means the original value of (p) MUST be saved for the ++ * caller's memory error handler to not lose track of it. ++ */ + #define PyMem_Resize(p, type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ +- ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) ) ++ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ ++ (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) + #define PyMem_RESIZE(p, type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ +- ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) ) ++ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ ++ (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) + + /* PyMem{Del,DEL} are left over from ancient days, and shouldn't be used + * anymore. They're just confusing aliases for PyMem_{Free,FREE} now. Index: patches/patch-Lib_test_seq_tests_py =================================================================== RCS file: patches/patch-Lib_test_seq_tests_py diff -N patches/patch-Lib_test_seq_tests_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_seq_tests_py 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,22 @@ +$OpenBSD$ +--- Lib/test/seq_tests.py.orig Tue Nov 13 07:04:41 2007 ++++ Lib/test/seq_tests.py Tue Aug 5 18:18:52 2008 +@@ -307,11 +307,13 @@ class CommonTest(unittest.TestCase): + self.assertEqual(id(s), id(s*1)) + + def test_bigrepeat(self): +- x = self.type2test([0]) +- x *= 2**16 +- self.assertRaises(MemoryError, x.__mul__, 2**16) +- if hasattr(x, '__imul__'): +- self.assertRaises(MemoryError, x.__imul__, 2**16) ++ import sys ++ if sys.maxint <= 2147483647: ++ x = self.type2test([0]) ++ x *= 2**16 ++ self.assertRaises(MemoryError, x.__mul__, 2**16) ++ if hasattr(x, '__imul__'): ++ self.assertRaises(MemoryError, x.__imul__, 2**16) + + def test_subscript(self): + a = self.type2test([10, 11]) Index: patches/patch-Lib_test_test_bigmem_py =================================================================== RCS file: patches/patch-Lib_test_test_bigmem_py diff -N patches/patch-Lib_test_test_bigmem_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_test_bigmem_py 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,154 @@ +$OpenBSD$ +--- Lib/test/test_bigmem.py.orig Sat Dec 1 08:53:17 2007 ++++ Lib/test/test_bigmem.py Tue Aug 5 18:18:52 2008 +@@ -1,5 +1,5 @@ + from test import test_support +-from test.test_support import bigmemtest, _1G, _2G ++from test.test_support import bigmemtest, _1G, _2G, _4G, precisionbigmemtest + + import unittest + import operator +@@ -54,6 +54,22 @@ class StrTest(unittest.TestCase): + self.assertEquals(s[lpadsize:-rpadsize], SUBSTR) + self.assertEquals(s.strip(), SUBSTR.strip()) + ++ @precisionbigmemtest(size=_2G - 1, memuse=1) ++ def test_center_unicode(self, size): ++ SUBSTR = u' abc def ghi' ++ try: ++ s = SUBSTR.center(size) ++ except OverflowError: ++ pass # acceptable on 32-bit ++ else: ++ self.assertEquals(len(s), size) ++ lpadsize = rpadsize = (len(s) - len(SUBSTR)) // 2 ++ if len(s) % 2: ++ lpadsize += 1 ++ self.assertEquals(s[lpadsize:-rpadsize], SUBSTR) ++ self.assertEquals(s.strip(), SUBSTR.strip()) ++ del s ++ + @bigmemtest(minsize=_2G, memuse=2) + def test_count(self, size): + SUBSTR = ' abc def ghi' +@@ -70,11 +86,45 @@ class StrTest(unittest.TestCase): + s = '.' * size + self.assertEquals(len(s.decode('utf-8')), size) + ++ def basic_encode_test(self, size, enc, c=u'.', expectedsize=None): ++ if expectedsize is None: ++ expectedsize = size ++ ++ s = c * size ++ self.assertEquals(len(s.encode(enc)), expectedsize) ++ + @bigmemtest(minsize=_2G + 2, memuse=3) + def test_encode(self, size): +- s = u'.' * size +- self.assertEquals(len(s.encode('utf-8')), size) ++ return self.basic_encode_test(size, 'utf-8') + ++ @precisionbigmemtest(size=_4G / 6 + 2, memuse=2) ++ def test_encode_raw_unicode_escape(self, size): ++ try: ++ return self.basic_encode_test(size, 'raw_unicode_escape') ++ except MemoryError: ++ pass # acceptable on 32-bit ++ ++ @precisionbigmemtest(size=_4G / 5 + 70, memuse=3) ++ def test_encode_utf7(self, size): ++ try: ++ return self.basic_encode_test(size, 'utf7') ++ except MemoryError: ++ pass # acceptable on 32-bit ++ ++ @precisionbigmemtest(size=_2G-1, memuse=2) ++ def test_decodeascii(self, size): ++ return self.basic_encode_test(size, 'ascii', c='A') ++ ++ @precisionbigmemtest(size=_4G / 5, memuse=6+2) ++ def test_unicode_repr_oflw(self, size): ++ try: ++ s = u"\uAAAA"*size ++ r = repr(s) ++ except MemoryError: ++ pass # acceptable on 32-bit ++ else: ++ self.failUnless(s == eval(r)) ++ + @bigmemtest(minsize=_2G, memuse=2) + def test_endswith(self, size): + SUBSTR = ' abc def ghi' +@@ -459,6 +509,11 @@ class StrTest(unittest.TestCase): + self.assertEquals(s.count('\\'), size) + self.assertEquals(s.count('0'), size * 2) + ++ @bigmemtest(minsize=2**32 / 5, memuse=6+2) ++ def test_unicode_repr(self, size): ++ s = u"\uAAAA" * size ++ self.failUnless(len(repr(s)) > size) ++ + # This test is meaningful even with size < 2G, as long as the + # doubled string is > 2G (but it tests more if both are > 2G :) + @bigmemtest(minsize=_1G + 2, memuse=3) +@@ -642,6 +697,35 @@ class TupleTest(unittest.TestCase): + def test_repeat_large(self, size): + return self.basic_test_repeat(size) + ++ @bigmemtest(minsize=_1G - 1, memuse=12) ++ def test_repeat_large_2(self, size): ++ return self.basic_test_repeat(size) ++ ++ @precisionbigmemtest(size=_1G - 1, memuse=9) ++ def test_from_2G_generator(self, size): ++ try: ++ t = tuple(xrange(size)) ++ except MemoryError: ++ pass # acceptable on 32-bit ++ else: ++ count = 0 ++ for item in t: ++ self.assertEquals(item, count) ++ count += 1 ++ self.assertEquals(count, size) ++ ++ @precisionbigmemtest(size=_1G - 25, memuse=9) ++ def test_from_almost_2G_generator(self, size): ++ try: ++ t = tuple(xrange(size)) ++ count = 0 ++ for item in t: ++ self.assertEquals(item, count) ++ count += 1 ++ self.assertEquals(count, size) ++ except MemoryError: ++ pass # acceptable, expected on 32-bit ++ + # Like test_concat, split in two. + def basic_test_repr(self, size): + t = (0,) * size +@@ -957,8 +1041,23 @@ class ListTest(unittest.TestCase): + self.assertEquals(l[:10], [1] * 10) + self.assertEquals(l[-10:], [5] * 10) + ++class BufferTest(unittest.TestCase): ++ ++ @precisionbigmemtest(size=_1G, memuse=4) ++ def test_repeat(self, size): ++ try: ++ b = buffer("AAAA")*size ++ except MemoryError: ++ pass # acceptable on 32-bit ++ else: ++ count = 0 ++ for c in b: ++ self.assertEquals(c, 'A') ++ count += 1 ++ self.assertEquals(count, size*4) ++ + def test_main(): +- test_support.run_unittest(StrTest, TupleTest, ListTest) ++ test_support.run_unittest(StrTest, TupleTest, ListTest, BufferTest) + + if __name__ == '__main__': + if len(sys.argv) > 1: Index: patches/patch-Lib_test_test_ioctl_py =================================================================== RCS file: patches/patch-Lib_test_test_ioctl_py diff -N patches/patch-Lib_test_test_ioctl_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_test_ioctl_py 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,46 @@ +$OpenBSD$ +--- Lib/test/test_ioctl.py.orig Thu Sep 15 04:09:42 2005 ++++ Lib/test/test_ioctl.py Tue Aug 5 18:18:52 2008 +@@ -14,6 +14,11 @@ try: + except IOError: + raise TestSkipped("Unable to open /dev/tty") + ++try: ++ import pty ++except ImportError: ++ pty = None ++ + class IoctlTests(unittest.TestCase): + def test_ioctl(self): + # If this process has been put into the background, TIOCGPGRP returns +@@ -33,6 +38,30 @@ class IoctlTests(unittest.TestCase): + rpgrp = buf[0] + self.assertEquals(r, 0) + self.assert_(rpgrp in ids, "%s not in %s" % (rpgrp, ids)) ++ ++ def test_ioctl_signed_unsigned_code_param(self): ++ if not pty: ++ raise TestSkipped('pty module required') ++ mfd, sfd = pty.openpty() ++ try: ++ if termios.TIOCSWINSZ < 0: ++ set_winsz_opcode_maybe_neg = termios.TIOCSWINSZ ++ set_winsz_opcode_pos = termios.TIOCSWINSZ & 0xffffffffL ++ else: ++ set_winsz_opcode_pos = termios.TIOCSWINSZ ++ set_winsz_opcode_maybe_neg, = struct.unpack("i", ++ struct.pack("I", termios.TIOCSWINSZ)) ++ ++ # We're just testing that these calls do not raise exceptions. ++ saved_winsz = fcntl.ioctl(mfd, termios.TIOCGWINSZ, "\0"*8) ++ our_winsz = struct.pack("HHHH",80,25,0,0) ++ # test both with a positive and potentially negative ioctl code ++ new_winsz = fcntl.ioctl(mfd, set_winsz_opcode_pos, our_winsz) ++ new_winsz = fcntl.ioctl(mfd, set_winsz_opcode_maybe_neg, our_winsz) ++ fcntl.ioctl(mfd, set_winsz_opcode_maybe_neg, saved_winsz) ++ finally: ++ os.close(mfd) ++ os.close(sfd) + + def test_main(): + run_unittest(IoctlTests) Index: patches/patch-Lib_test_test_strop_py =================================================================== RCS file: patches/patch-Lib_test_test_strop_py diff -N patches/patch-Lib_test_test_strop_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_test_strop_py 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ +--- Lib/test/test_strop.py.orig Wed Jul 31 09:27:12 2002 ++++ Lib/test/test_strop.py Tue Aug 5 18:18:52 2008 +@@ -115,6 +115,25 @@ class StropFunctionTestCase(unittest.TestCase): + strop.uppercase + strop.whitespace + ++ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=5) ++ def test_stropjoin_huge_list(self, size): ++ a = "A" * size ++ try: ++ r = strop.join([a, a], a) ++ except OverflowError: ++ pass ++ else: ++ self.assertEquals(len(r), len(a) * 3) ++ ++ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=1) ++ def test_stropjoin_huge_tup(self, size): ++ a = "A" * size ++ try: ++ r = strop.join((a, a), a) ++ except OverflowError: ++ pass # acceptable on 32-bit ++ else: ++ self.assertEquals(len(r), len(a) * 3) + + transtable = '\000\001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037 !"#$%&\'()*+,-./0123456789:;<=>[EMAIL PROTECTED]|}~\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377' + Index: patches/patch-Lib_test_test_support_py =================================================================== RCS file: patches/patch-Lib_test_test_support_py diff -N patches/patch-Lib_test_test_support_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_test_support_py 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,63 @@ +$OpenBSD$ +--- Lib/test/test_support.py.orig Sun Jan 27 12:24:44 2008 ++++ Lib/test/test_support.py Tue Aug 5 18:18:52 2008 +@@ -33,6 +33,7 @@ verbose = 1 # Flag set to 0 by regrtest.p + use_resources = None # Flag set to [] by regrtest.py + max_memuse = 0 # Disable bigmem tests (they will still be run with + # small sizes, to make sure they work.) ++real_max_memuse = 0 + + # _original_stdout is meant to hold stdout at the time regrtest began. + # This may be "the real" stdout, or IDLE's emulation of stdout, or whatever. +@@ -323,6 +324,7 @@ def run_with_locale(catstr, *locales): + _1M = 1024*1024 + _1G = 1024 * _1M + _2G = 2 * _1G ++_4G = 4 * _1G + + # Hack to get at the maximum value an internal index can take. + class _Dummy: +@@ -333,6 +335,7 @@ MAX_Py_ssize_t = _Dummy()[:] + def set_memlimit(limit): + import re + global max_memuse ++ global real_max_memuse + sizes = { + 'k': 1024, + 'm': _1M, +@@ -344,6 +347,7 @@ def set_memlimit(limit): + if m is None: + raise ValueError('Invalid memory limit %r' % (limit,)) + memlimit = int(float(m.group(1)) * sizes[m.group(3).lower()]) ++ real_max_memuse = memlimit + if memlimit > MAX_Py_ssize_t: + memlimit = MAX_Py_ssize_t + if memlimit < _2G - 1: +@@ -384,6 +388,27 @@ def bigmemtest(minsize, memuse, overhead=5*_1M): + maxsize = max(maxsize - 50 * _1M, minsize) + return f(self, maxsize) + wrapper.minsize = minsize ++ wrapper.memuse = memuse ++ wrapper.overhead = overhead ++ return wrapper ++ return decorator ++ ++def precisionbigmemtest(size, memuse, overhead=5*_1M): ++ def decorator(f): ++ def wrapper(self): ++ if not real_max_memuse: ++ maxsize = 5147 ++ else: ++ maxsize = size ++ ++ if real_max_memuse and real_max_memuse < maxsize * memuse: ++ if verbose: ++ sys.stderr.write("Skipping %s because of memory " ++ "constraint\n" % (f.__name__,)) ++ return ++ ++ return f(self, maxsize) ++ wrapper.size = size + wrapper.memuse = memuse + wrapper.overhead = overhead + return wrapper Index: patches/patch-Lib_test_test_unicode_py =================================================================== RCS file: patches/patch-Lib_test_test_unicode_py diff -N patches/patch-Lib_test_test_unicode_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_test_unicode_py 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,13 @@ +$OpenBSD$ +--- Lib/test/test_unicode.py.orig Mon Jun 11 14:31:25 2007 ++++ Lib/test/test_unicode.py Tue Aug 5 18:18:52 2008 +@@ -532,6 +532,9 @@ class UnicodeTest( + + self.assertEqual(unicode('+3ADYAA-', 'utf-7', 'replace'), u'\ufffd') + ++ # Issue #2242: crash on some Windows/MSVC versions ++ self.assertRaises(UnicodeDecodeError, '+\xc1'.decode, 'utf-7') ++ + def test_codecs_utf8(self): + self.assertEqual(u''.encode('utf-8'), '') + self.assertEqual(u'\u20ac'.encode('utf-8'), '\xe2\x82\xac') Index: patches/patch-Lib_test_test_zlib_py =================================================================== RCS file: patches/patch-Lib_test_test_zlib_py diff -N patches/patch-Lib_test_test_zlib_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Lib_test_test_zlib_py 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ +--- Lib/test/test_zlib.py.orig Mon Jun 12 13:33:09 2006 ++++ Lib/test/test_zlib.py Tue Aug 5 18:18:52 2008 +@@ -71,6 +71,11 @@ class ExceptionTestCase(unittest.TestCase): + # verify failure on building decompress object with bad params + self.assertRaises(ValueError, zlib.decompressobj, 0) + ++ def test_decompressobj_badflush(self): ++ # verify failure on calling decompressobj.flush with bad params ++ self.assertRaises(ValueError, zlib.decompressobj().flush, 0) ++ self.assertRaises(ValueError, zlib.decompressobj().flush, -1) ++ + + + class CompressTestCase(unittest.TestCase): Index: patches/patch-Modules__hashopenssl_c =================================================================== RCS file: patches/patch-Modules__hashopenssl_c diff -N patches/patch-Modules__hashopenssl_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules__hashopenssl_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,108 @@ +$OpenBSD$ +--- Modules/_hashopenssl.c.orig Tue May 30 07:04:52 2006 ++++ Modules/_hashopenssl.c Tue Aug 5 21:04:47 2008 +@@ -19,7 +19,9 @@ + /* EVP is the preferred interface to hashing in OpenSSL */ + #include <openssl/evp.h> + ++#define MUNCH_SIZE INT_MAX + ++ + #ifndef HASH_OBJ_CONSTRUCTOR + #define HASH_OBJ_CONSTRUCTOR 0 + #endif +@@ -164,9 +166,18 @@ EVP_update(EVPobject *self, PyObject *args) + if (!PyArg_ParseTuple(args, "s#:update", &cp, &len)) + return NULL; + ++ if (len > 0 && len <= MUNCH_SIZE) { + EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, + unsigned int)); +- ++ } else { ++ Py_ssize_t offset = 0; ++ while (len) { ++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; ++ EVP_DigestUpdate(&self->ctx, cp + offset, process); ++ len -= process; ++ offset += process; ++ } ++ } + Py_INCREF(Py_None); + return Py_None; + } +@@ -255,10 +266,21 @@ EVP_tp_init(EVPobject *self, PyObject *args, PyObject + self->name = name_obj; + Py_INCREF(self->name); + +- if (cp && len) ++ if (cp && len) { ++ if (len > 0 && len <= MUNCH_SIZE) { + EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, + unsigned int)); +- ++ } else { ++ Py_ssize_t offset = 0; ++ while (len) { ++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; ++ EVP_DigestUpdate(&self->ctx, cp + offset, process); ++ len -= process; ++ offset += process; ++ } ++ } ++ } ++ + return 0; + } + #endif +@@ -328,7 +350,7 @@ static PyTypeObject EVPtype = { + static PyObject * + EVPnew(PyObject *name_obj, + const EVP_MD *digest, const EVP_MD_CTX *initial_ctx, +- const unsigned char *cp, unsigned int len) ++ const unsigned char *cp, Py_ssize_t len) + { + EVPobject *self; + +@@ -346,8 +368,20 @@ EVPnew(PyObject *name_obj, + EVP_DigestInit(&self->ctx, digest); + } + +- if (cp && len) +- EVP_DigestUpdate(&self->ctx, cp, len); ++ if (cp && len) { ++ if (len > 0 && len <= MUNCH_SIZE) { ++ EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, ++ unsigned int)); ++ } else { ++ Py_ssize_t offset = 0; ++ while (len) { ++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; ++ EVP_DigestUpdate(&self->ctx, cp + offset, process); ++ len -= process; ++ offset += process; ++ } ++ } ++ } + + return (PyObject *)self; + } +@@ -384,8 +418,7 @@ EVP_new(PyObject *self, PyObject *args, PyObject *kwdi + + digest = EVP_get_digestbyname(name); + +- return EVPnew(name_obj, digest, NULL, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, +- unsigned int)); ++ return EVPnew(name_obj, digest, NULL, cp, len); + } + + /* +@@ -410,7 +443,7 @@ EVP_new(PyObject *self, PyObject *args, PyObject *kwdi + CONST_ ## NAME ## _name_obj, \ + NULL, \ + CONST_new_ ## NAME ## _ctx_p, \ +- cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int)); \ ++ cp, len); \ + } + + /* a PyMethodDef structure for the constructor */ Index: patches/patch-Modules_almodule_c =================================================================== RCS file: patches/patch-Modules_almodule_c diff -N patches/patch-Modules_almodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_almodule_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ +--- Modules/almodule.c.orig Mon Sep 25 16:53:42 2006 ++++ Modules/almodule.c Tue Aug 5 18:18:52 2008 +@@ -1633,9 +1633,11 @@ al_QueryValues(PyObject *self, PyObject *args) + if (nvals < 0) + goto cleanup; + if (nvals > setsize) { ++ ALvalue *old_return_set = return_set; + setsize = nvals; + PyMem_RESIZE(return_set, ALvalue, setsize); + if (return_set == NULL) { ++ return_set = old_return_set; + PyErr_NoMemory(); + goto cleanup; + } Index: patches/patch-Modules_arraymodule_c =================================================================== RCS file: patches/patch-Modules_arraymodule_c diff -N patches/patch-Modules_arraymodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_arraymodule_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,34 @@ +$OpenBSD$ +--- Modules/arraymodule.c.orig Sat Feb 16 06:11:46 2008 ++++ Modules/arraymodule.c Tue Aug 5 18:18:52 2008 +@@ -816,6 +816,7 @@ static int + array_do_extend(arrayobject *self, PyObject *bb) + { + Py_ssize_t size; ++ char *old_item; + + if (!array_Check(bb)) + return array_iter_extend(self, bb); +@@ -831,10 +832,11 @@ array_do_extend(arrayobject *self, PyObject *bb) + return -1; + } + size = self->ob_size + b->ob_size; ++ old_item = self->ob_item; + PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize); + if (self->ob_item == NULL) { +- PyObject_Del(self); +- PyErr_NoMemory(); ++ self->ob_item = old_item; ++ PyErr_NoMemory(); + return -1; + } + memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize, +@@ -886,7 +888,7 @@ array_inplace_repeat(arrayobject *self, Py_ssize_t n) + if (size > PY_SSIZE_T_MAX / n) { + return PyErr_NoMemory(); + } +- PyMem_Resize(items, char, n * size); ++ PyMem_RESIZE(items, char, n * size); + if (items == NULL) + return PyErr_NoMemory(); + p = items; Index: patches/patch-Modules_fcntlmodule_c =================================================================== RCS file: patches/patch-Modules_fcntlmodule_c diff -N patches/patch-Modules_fcntlmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_fcntlmodule_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ +--- Modules/fcntlmodule.c.orig Sun Jul 30 01:43:13 2006 ++++ Modules/fcntlmodule.c Tue Aug 5 18:18:52 2008 +@@ -97,11 +97,20 @@ fcntl_ioctl(PyObject *self, PyObject *args) + { + #define IOCTL_BUFSZ 1024 + int fd; +- /* In PyArg_ParseTuple below, use the unsigned int 'I' format for +- the signed int 'code' variable, because Python turns 0x8000000 +- into a large positive number (PyLong, or PyInt on 64-bit +- platforms,) whereas C expects it to be a negative int */ +- int code; ++ /* In PyArg_ParseTuple below, we use the unsigned non-checked 'I' ++ format for the 'code' parameter because Python turns 0x8000000 ++ into either a large positive number (PyLong or PyInt on 64-bit ++ platforms) or a negative number on others (32-bit PyInt) ++ whereas the system expects it to be a 32bit bit field value ++ regardless of it being passed as an int or unsigned long on ++ various platforms. See the termios.TIOCSWINSZ constant across ++ platforms for an example of thise. ++ ++ If any of the 64bit platforms ever decide to use more than 32bits ++ in their unsigned long ioctl codes this will break and need ++ special casing based on the platform being built on. ++ */ ++ unsigned int code; + int arg; + int ret; + char *str; Index: patches/patch-Modules_gcmodule_c =================================================================== RCS file: patches/patch-Modules_gcmodule_c diff -N patches/patch-Modules_gcmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_gcmodule_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,24 @@ +$OpenBSD$ +--- Modules/gcmodule.c.orig Tue Oct 10 05:42:33 2006 ++++ Modules/gcmodule.c Tue Aug 5 18:18:52 2008 +@@ -1318,7 +1318,10 @@ PyObject * + _PyObject_GC_Malloc(size_t basicsize) + { + PyObject *op; +- PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC( ++ PyGC_Head *g; ++ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) ++ return PyErr_NoMemory(); ++ g = (PyGC_Head *)PyObject_MALLOC( + sizeof(PyGC_Head) + basicsize); + if (g == NULL) + return PyErr_NoMemory(); +@@ -1361,6 +1364,8 @@ _PyObject_GC_Resize(PyVarObject *op, Py_ssize_t nitems + { + const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems); + PyGC_Head *g = AS_GC(op); ++ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) ++ return (PyVarObject *)PyErr_NoMemory(); + g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize); + if (g == NULL) + return (PyVarObject *)PyErr_NoMemory(); Index: patches/patch-Modules_imageop_c =================================================================== RCS file: patches/patch-Modules_imageop_c diff -N patches/patch-Modules_imageop_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_imageop_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,218 @@ +$OpenBSD$ +--- Modules/imageop.c.orig Thu Jan 19 17:09:39 2006 ++++ Modules/imageop.c Tue Aug 5 18:18:52 2008 +@@ -78,7 +78,7 @@ imageop_crop(PyObject *self, PyObject *args) + char *cp, *ncp; + short *nsp; + Py_Int32 *nlp; +- int len, size, x, y, newx1, newx2, newy1, newy2; ++ int len, size, x, y, newx1, newx2, newy1, newy2, nlen; + int ix, iy, xstep, ystep; + PyObject *rv; + +@@ -90,13 +90,19 @@ imageop_crop(PyObject *self, PyObject *args) + PyErr_SetString(ImageopError, "Size should be 1, 2 or 4"); + return 0; + } +- if ( len != size*x*y ) { ++ if (( len != size*x*y ) || ++ ( size != ((len / x) / y) )) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } + xstep = (newx1 < newx2)? 1 : -1; + ystep = (newy1 < newy2)? 1 : -1; + ++ nlen = (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size; ++ if ( size != ((nlen / (abs(newx2-newx1)+1)) / (abs(newy2-newy1)+1)) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + rv = PyString_FromStringAndSize(NULL, + (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size); + if ( rv == 0 ) +@@ -132,7 +138,7 @@ imageop_scale(PyObject *self, PyObject *args) + char *cp, *ncp; + short *nsp; + Py_Int32 *nlp; +- int len, size, x, y, newx, newy; ++ int len, size, x, y, newx, newy, nlen; + int ix, iy; + int oix, oiy; + PyObject *rv; +@@ -145,12 +151,18 @@ imageop_scale(PyObject *self, PyObject *args) + PyErr_SetString(ImageopError, "Size should be 1, 2 or 4"); + return 0; + } +- if ( len != size*x*y ) { ++ if ( ( len != size*x*y ) || ++ ( size != ((len / x) / y) ) ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } ++ nlen = newx*newy*size; ++ if ( size != ((nlen / newx) / newy) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + +- rv = PyString_FromStringAndSize(NULL, newx*newy*size); ++ rv = PyString_FromStringAndSize(NULL, nlen); + if ( rv == 0 ) + return 0; + ncp = (char *)PyString_AsString(rv); +@@ -190,7 +202,8 @@ imageop_tovideo(PyObject *self, PyObject *args) + PyErr_SetString(ImageopError, "Size should be 1 or 4"); + return 0; + } +- if ( maxx*maxy*width != len ) { ++ if ( ( maxx*maxy*width != len ) || ++ ( maxx != ((len / maxy) / width) ) ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -240,7 +253,8 @@ imageop_grey2mono(PyObject *self, PyObject *args) + if ( !PyArg_ParseTuple(args, "s#iii", &cp, &len, &x, &y, &tres) ) + return 0; + +- if ( x*y != len ) { ++ if ( ( x*y != len ) || ++ ( x != len / y ) ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -281,7 +295,8 @@ imageop_grey2grey4(PyObject *self, PyObject *args) + if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) ) + return 0; + +- if ( x*y != len ) { ++ if ( ( x*y != len ) || ++ ( x != len / y ) ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -320,7 +335,8 @@ imageop_grey2grey2(PyObject *self, PyObject *args) + if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) ) + return 0; + +- if ( x*y != len ) { ++ if ( ( x*y != len ) || ++ ( x != len / y ) ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -358,7 +374,8 @@ imageop_dither2mono(PyObject *self, PyObject *args) + if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) ) + return 0; + +- if ( x*y != len ) { ++ if ( ( x*y != len ) || ++ ( x != len / y ) ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -404,7 +421,8 @@ imageop_dither2grey2(PyObject *self, PyObject *args) + if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) ) + return 0; + +- if ( x*y != len ) { ++ if ( ( x*y != len ) || ++ ( x != len / y ) ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -443,7 +461,11 @@ imageop_mono2grey(PyObject *self, PyObject *args) + if ( !PyArg_ParseTuple(args, "s#iiii", &cp, &len, &x, &y, &v0, &v1) ) + return 0; + +- nlen = x*y; ++ nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( (nlen+7)/8 != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -481,6 +503,10 @@ imageop_grey22grey(PyObject *self, PyObject *args) + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( (nlen+3)/4 != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -517,6 +543,10 @@ imageop_grey42grey(PyObject *self, PyObject *args) + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( (nlen+1)/2 != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -554,6 +584,10 @@ imageop_rgb2rgb8(PyObject *self, PyObject *args) + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( nlen*4 != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -598,10 +632,19 @@ imageop_rgb82rgb(PyObject *self, PyObject *args) + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( nlen != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } ++ ++ if ( nlen / x != y || nlen > INT_MAX / 4) { ++ PyErr_SetString(ImageopError, "Image is too large"); ++ return 0; ++ } + + rv = PyString_FromStringAndSize(NULL, nlen*4); + if ( rv == 0 ) +@@ -648,6 +691,10 @@ imageop_rgb2grey(PyObject *self, PyObject *args) + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( nlen*4 != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -693,8 +740,17 @@ imageop_grey2rgb(PyObject *self, PyObject *args) + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( nlen != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } ++ ++ if ( nlen / x != y || nlen > INT_MAX / 4) { ++ PyErr_SetString(ImageopError, "Image is too large"); + return 0; + } + Index: patches/patch-Modules_mmapmodule_c =================================================================== RCS file: patches/patch-Modules_mmapmodule_c diff -N patches/patch-Modules_mmapmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_mmapmodule_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- Modules/mmapmodule.c.orig Tue Aug 22 23:57:07 2006 ++++ Modules/mmapmodule.c Tue Aug 5 18:18:52 2008 +@@ -223,7 +223,7 @@ mmap_read_method(mmap_object *self, + return(NULL); + + /* silently 'adjust' out-of-range requests */ +- if ((self->pos + num_bytes) > self->size) { ++ if (num_bytes > self->size - self->pos) { + num_bytes -= (self->pos+num_bytes) - self->size; + } + result = Py_BuildValue("s#", self->data+self->pos, num_bytes); Index: patches/patch-Modules_rgbimgmodule_c =================================================================== RCS file: patches/patch-Modules_rgbimgmodule_c diff -N patches/patch-Modules_rgbimgmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_rgbimgmodule_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ +--- Modules/rgbimgmodule.c.orig Thu Feb 14 22:26:18 2008 ++++ Modules/rgbimgmodule.c Tue Aug 5 18:18:52 2008 +@@ -299,6 +299,11 @@ longimagedata(PyObject *self, PyObject *args) + xsize = image.xsize; + ysize = image.ysize; + zsize = image.zsize; ++ tablen = xsize * ysize * zsize * sizeof(Py_Int32); ++ if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) { ++ PyErr_NoMemory(); ++ goto finally; ++ } + if (rle) { + tablen = ysize * zsize * sizeof(Py_Int32); + rlebuflen = (int) (1.05 * xsize +10); Index: patches/patch-Modules_selectmodule_c =================================================================== RCS file: patches/patch-Modules_selectmodule_c diff -N patches/patch-Modules_selectmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_selectmodule_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,17 @@ +$OpenBSD$ +--- Modules/selectmodule.c.orig Mon Jul 10 11:18:57 2006 ++++ Modules/selectmodule.c Tue Aug 5 18:18:52 2008 +@@ -349,10 +349,12 @@ update_ufd_array(pollObject *self) + { + Py_ssize_t i, pos; + PyObject *key, *value; ++ struct pollfd *old_ufds = self->ufds; + + self->ufd_len = PyDict_Size(self->dict); +- PyMem_Resize(self->ufds, struct pollfd, self->ufd_len); ++ PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len); + if (self->ufds == NULL) { ++ self->ufds = old_ufds; + PyErr_NoMemory(); + return 0; + } Index: patches/patch-Modules_stropmodule_c =================================================================== RCS file: patches/patch-Modules_stropmodule_c diff -N patches/patch-Modules_stropmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_stropmodule_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,32 @@ +$OpenBSD$ +--- Modules/stropmodule.c.orig Thu Feb 14 22:26:18 2008 ++++ Modules/stropmodule.c Tue Aug 5 18:18:52 2008 +@@ -216,6 +216,13 @@ strop_joinfields(PyObject *self, PyObject *args) + return NULL; + } + slen = PyString_GET_SIZE(item); ++ if (slen > PY_SSIZE_T_MAX - reslen || ++ seplen > PY_SSIZE_T_MAX - reslen - seplen) { ++ PyErr_SetString(PyExc_OverflowError, ++ "input too long"); ++ Py_DECREF(res); ++ return NULL; ++ } + while (reslen + slen + seplen >= sz) { + if (_PyString_Resize(&res, sz * 2) < 0) + return NULL; +@@ -253,6 +260,14 @@ strop_joinfields(PyObject *self, PyObject *args) + return NULL; + } + slen = PyString_GET_SIZE(item); ++ if (slen > PY_SSIZE_T_MAX - reslen || ++ seplen > PY_SSIZE_T_MAX - reslen - seplen) { ++ PyErr_SetString(PyExc_OverflowError, ++ "input too long"); ++ Py_DECREF(res); ++ Py_XDECREF(item); ++ return NULL; ++ } + while (reslen + slen + seplen >= sz) { + if (_PyString_Resize(&res, sz * 2) < 0) { + Py_DECREF(item); Index: patches/patch-Modules_zlibmodule_c =================================================================== RCS file: patches/patch-Modules_zlibmodule_c diff -N patches/patch-Modules_zlibmodule_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_zlibmodule_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ +--- Modules/zlibmodule.c.orig Wed Nov 21 11:44:57 2007 ++++ Modules/zlibmodule.c Tue Aug 5 18:18:52 2008 +@@ -774,6 +774,10 @@ PyZlib_unflush(compobject *self, PyObject *args) + + if (!PyArg_ParseTuple(args, "|i:flush", &length)) + return NULL; ++ if (length <= 0) { ++ PyErr_SetString(PyExc_ValueError, "length must be greater than zero"); ++ return NULL; ++ } + if (!(retval = PyString_FromStringAndSize(NULL, length))) + return NULL; + Index: patches/patch-Objects_bufferobject_c =================================================================== RCS file: patches/patch-Objects_bufferobject_c diff -N patches/patch-Objects_bufferobject_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_bufferobject_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ +--- Objects/bufferobject.c.orig Thu Feb 14 22:26:18 2008 ++++ Objects/bufferobject.c Tue Aug 5 18:18:52 2008 +@@ -427,6 +427,10 @@ buffer_repeat(PyBufferObject *self, Py_ssize_t count) + count = 0; + if (!get_buf(self, &ptr, &size, ANY_BUFFER)) + return NULL; ++ if (count > PY_SSIZE_T_MAX / size) { ++ PyErr_SetString(PyExc_MemoryError, "result too large"); ++ return NULL; ++ } + ob = PyString_FromStringAndSize(NULL, size * count); + if ( ob == NULL ) + return NULL; Index: patches/patch-Objects_longobject_c =================================================================== RCS file: patches/patch-Objects_longobject_c diff -N patches/patch-Objects_longobject_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_longobject_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- Objects/longobject.c.orig Tue May 8 04:30:48 2007 ++++ Objects/longobject.c Tue Aug 5 18:18:52 2008 +@@ -70,6 +70,8 @@ _PyLong_New(Py_ssize_t size) + PyErr_NoMemory(); + return NULL; + } ++ /* XXX(nnorwitz): This can overflow -- ++ PyObject_NEW_VAR / _PyObject_VAR_SIZE need to detect overflow */ + return PyObject_NEW_VAR(PyLongObject, &PyLong_Type, size); + } + Index: patches/patch-Objects_obmalloc_c =================================================================== RCS file: patches/patch-Objects_obmalloc_c diff -N patches/patch-Objects_obmalloc_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_obmalloc_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,35 @@ +$OpenBSD$ +--- Objects/obmalloc.c.orig Thu Feb 14 22:26:18 2008 ++++ Objects/obmalloc.c Tue Aug 5 18:18:52 2008 +@@ -727,6 +727,15 @@ PyObject_Malloc(size_t nbytes) + uint size; + + /* ++ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes. ++ * Most python internals blindly use a signed Py_ssize_t to track ++ * things without checking for overflows or negatives. ++ * As size_t is unsigned, checking for nbytes < 0 is not required. ++ */ ++ if (nbytes > PY_SSIZE_T_MAX) ++ return NULL; ++ ++ /* + * This implicitly redirects malloc(0). + */ + if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) { +@@ -1129,6 +1138,15 @@ PyObject_Realloc(void *p, size_t nbytes) + + if (p == NULL) + return PyObject_Malloc(nbytes); ++ ++ /* ++ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes. ++ * Most python internals blindly use a signed Py_ssize_t to track ++ * things without checking for overflows or negatives. ++ * As size_t is unsigned, checking for nbytes < 0 is not required. ++ */ ++ if (nbytes > PY_SSIZE_T_MAX) ++ return NULL; + + pool = POOL_ADDR(p); + if (Py_ADDRESS_IN_RANGE(p, pool)) { Index: patches/patch-Objects_stringobject_c =================================================================== RCS file: patches/patch-Objects_stringobject_c diff -N patches/patch-Objects_stringobject_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_stringobject_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,62 @@ +$OpenBSD$ +--- Objects/stringobject.c.orig Wed Nov 7 12:19:49 2007 ++++ Objects/stringobject.c Tue Aug 5 18:18:52 2008 +@@ -54,6 +54,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t + { + register PyStringObject *op; + assert(size >= 0); ++ if (size < 0) { ++ PyErr_SetString(PyExc_SystemError, ++ "Negative size passed to PyString_FromStringAndSize"); ++ return NULL; ++ } + if (size == 0 && (op = nullstring) != NULL) { + #ifdef COUNT_ALLOCS + null_strings++; +@@ -71,6 +76,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t + return (PyObject *)op; + } + ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { ++ PyErr_SetString(PyExc_OverflowError, "string is too large"); ++ return NULL; ++ } ++ + /* Inline PyObject_NewVar */ + op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size); + if (op == NULL) +@@ -106,7 +116,7 @@ PyString_FromString(const char *str) + + assert(str != NULL); + size = strlen(str); +- if (size > PY_SSIZE_T_MAX) { ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { + PyErr_SetString(PyExc_OverflowError, + "string is too long for a Python string"); + return NULL; +@@ -967,14 +977,24 @@ string_concat(register PyStringObject *a, register PyO + Py_INCREF(a); + return (PyObject *)a; + } ++ /* Check that string sizes are not negative, to prevent an ++ overflow in cases where we are passed incorrectly-created ++ strings with negative lengths (due to a bug in other code). ++ */ + size = a->ob_size + b->ob_size; +- if (size < 0) { ++ if (a->ob_size < 0 || b->ob_size < 0 || ++ a->ob_size > PY_SSIZE_T_MAX - b->ob_size) { + PyErr_SetString(PyExc_OverflowError, + "strings are too large to concat"); + return NULL; + } + + /* Inline PyObject_NewVar */ ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { ++ PyErr_SetString(PyExc_OverflowError, ++ "strings are too large to concat"); ++ return NULL; ++ } + op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size); + if (op == NULL) + return PyErr_NoMemory(); Index: patches/patch-Objects_tupleobject_c =================================================================== RCS file: patches/patch-Objects_tupleobject_c diff -N patches/patch-Objects_tupleobject_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_tupleobject_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,18 @@ +$OpenBSD$ +--- Objects/tupleobject.c.orig Sun Aug 13 03:03:09 2006 ++++ Objects/tupleobject.c Tue Aug 5 18:18:52 2008 +@@ -60,11 +60,12 @@ PyTuple_New(register Py_ssize_t size) + Py_ssize_t nbytes = size * sizeof(PyObject *); + /* Check for overflow */ + if (nbytes / sizeof(PyObject *) != (size_t)size || +- (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *)) +- <= 0) ++ (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) - sizeof(PyObject *))) + { + return PyErr_NoMemory(); + } ++ nbytes += sizeof(PyTupleObject) - sizeof(PyObject *); ++ + op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size); + if (op == NULL) + return NULL; Index: patches/patch-Objects_unicodeobject_c =================================================================== RCS file: patches/patch-Objects_unicodeobject_c diff -N patches/patch-Objects_unicodeobject_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Objects_unicodeobject_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,125 @@ +$OpenBSD$ +--- Objects/unicodeobject.c.orig Sat Nov 3 09:46:38 2007 ++++ Objects/unicodeobject.c Tue Aug 5 18:18:52 2008 +@@ -239,6 +239,11 @@ PyUnicodeObject *_PyUnicode_New(Py_ssize_t length) + return unicode_empty; + } + ++ /* Ensure we won't overflow the size. */ ++ if (length > ((PY_SSIZE_T_MAX / sizeof(Py_UNICODE)) - 1)) { ++ return (PyUnicodeObject *)PyErr_NoMemory(); ++ } ++ + /* Unicode freelist & memory allocation */ + if (unicode_freelist) { + unicode = unicode_freelist; +@@ -970,7 +975,7 @@ PyObject *PyUnicode_DecodeUTF7(const char *s, + while (s < e) { + Py_UNICODE ch; + restart: +- ch = *s; ++ ch = (unsigned char) *s; + + if (inShift) { + if ((ch == '-') || !B64CHAR(ch)) { +@@ -1091,6 +1096,9 @@ PyObject *PyUnicode_EncodeUTF7(const Py_UNICODE *s, + char * out; + char * start; + ++ if (cbAllocated / 5 != size) ++ return PyErr_NoMemory(); ++ + if (size == 0) + return PyString_FromStringAndSize(NULL, 0); + +@@ -1689,8 +1697,9 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *s, + { + PyObject *v; + unsigned char *p; ++ Py_ssize_t nsize, bytesize; + #ifdef Py_UNICODE_WIDE +- int i, pairs; ++ Py_ssize_t i, pairs; + #else + const int pairs = 0; + #endif +@@ -1713,8 +1722,15 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *s, + if (s[i] >= 0x10000) + pairs++; + #endif +- v = PyString_FromStringAndSize(NULL, +- 2 * (size + pairs + (byteorder == 0))); ++ /* 2 * (size + pairs + (byteorder == 0)) */ ++ if (size > PY_SSIZE_T_MAX || ++ size > PY_SSIZE_T_MAX - pairs - (byteorder == 0)) ++ return PyErr_NoMemory(); ++ nsize = (size + pairs + (byteorder == 0)); ++ bytesize = nsize * 2; ++ if (bytesize / 2 != nsize) ++ return PyErr_NoMemory(); ++ v = PyString_FromStringAndSize(NULL, bytesize); + if (v == NULL) + return NULL; + +@@ -2042,6 +2058,11 @@ PyObject *unicodeescape_string(const Py_UNICODE *s, + char *p; + + static const char *hexdigit = "0123456789abcdef"; ++#ifdef Py_UNICODE_WIDE ++ const Py_ssize_t expandsize = 10; ++#else ++ const Py_ssize_t expandsize = 6; ++#endif + + /* Initial allocation is based on the longest-possible unichr + escape. +@@ -2057,13 +2078,12 @@ PyObject *unicodeescape_string(const Py_UNICODE *s, + escape. + */ + ++ if (size > (PY_SSIZE_T_MAX - 2 - 1) / expandsize) ++ return PyErr_NoMemory(); ++ + repr = PyString_FromStringAndSize(NULL, + 2 +-#ifdef Py_UNICODE_WIDE +- + 10*size +-#else +- + 6*size +-#endif ++ + expandsize*size + + 1); + if (repr == NULL) + return NULL; +@@ -2304,12 +2324,16 @@ PyObject *PyUnicode_EncodeRawUnicodeEscape(const Py_UN + char *q; + + static const char *hexdigit = "0123456789abcdef"; +- + #ifdef Py_UNICODE_WIDE +- repr = PyString_FromStringAndSize(NULL, 10 * size); ++ const Py_ssize_t expandsize = 10; + #else +- repr = PyString_FromStringAndSize(NULL, 6 * size); ++ const Py_ssize_t expandsize = 6; + #endif ++ ++ if (size > PY_SSIZE_T_MAX / expandsize) ++ return PyErr_NoMemory(); ++ ++ repr = PyString_FromStringAndSize(NULL, expandsize * size); + if (repr == NULL) + return NULL; + if (size == 0) +@@ -4719,6 +4743,11 @@ PyUnicodeObject *pad(PyUnicodeObject *self, + return self; + } + ++ if (left > PY_SSIZE_T_MAX - self->length || ++ right > PY_SSIZE_T_MAX - (left + self->length)) { ++ PyErr_SetString(PyExc_OverflowError, "padded string is too long"); ++ return NULL; ++ } + u = _PyUnicode_New(left + self->length + right); + if (u) { + if (left) Index: patches/patch-Python_mysnprintf_c =================================================================== RCS file: patches/patch-Python_mysnprintf_c diff -N patches/patch-Python_mysnprintf_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Python_mysnprintf_c 5 Aug 2008 11:06:58 -0000 @@ -0,0 +1,56 @@ +$OpenBSD$ +--- Python/mysnprintf.c.orig Sat Dec 22 03:32:15 2001 ++++ Python/mysnprintf.c Tue Aug 5 18:18:52 2008 +@@ -54,18 +54,28 @@ int + PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) + { + int len; /* # bytes written, excluding \0 */ +-#ifndef HAVE_SNPRINTF ++#ifdef HAVE_SNPRINTF ++#define _PyOS_vsnprintf_EXTRA_SPACE 1 ++#else ++#define _PyOS_vsnprintf_EXTRA_SPACE 512 + char *buffer; + #endif + assert(str != NULL); + assert(size > 0); + assert(format != NULL); ++ /* We take a size_t as input but return an int. Sanity check ++ * our input so that it won't cause an overflow in the ++ * vsnprintf return value or the buffer malloc size. */ ++ if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) { ++ len = -666; ++ goto Done; ++ } + + #ifdef HAVE_SNPRINTF + len = vsnprintf(str, size, format, va); + #else + /* Emulate it. */ +- buffer = PyMem_MALLOC(size + 512); ++ buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE); + if (buffer == NULL) { + len = -666; + goto Done; +@@ -75,7 +85,7 @@ PyOS_vsnprintf(char *str, size_t size, const char *fo + if (len < 0) + /* ignore the error */; + +- else if ((size_t)len >= size + 512) ++ else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE) + Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); + + else { +@@ -86,8 +96,10 @@ PyOS_vsnprintf(char *str, size_t size, const char *fo + str[to_copy] = '\0'; + } + PyMem_FREE(buffer); +-Done: + #endif +- str[size-1] = '\0'; ++Done: ++ if (size > 0) ++ str[size-1] = '\0'; + return len; ++#undef _PyOS_vsnprintf_EXTRA_SPACE + }