diff options
| author | Benjamin Peterson <benjamin@python.org> | 2008-09-24 22:53:33 (GMT) |
|---|---|---|
| committer | Benjamin Peterson <benjamin@python.org> | 2008-09-24 22:53:33 (GMT) |
| commit | 78cb491de3726c35c799448dfb5c29e550c442a1 (patch) | |
| tree | 9a6a876f7e0d49d29f4b0762d615b796254c5470 /Modules | |
| parent | 1308c26cf4cd930f3774cf6f35ae1e3c483d9718 (diff) | |
| download | cpython-78cb491de3726c35c799448dfb5c29e550c442a1.zip cpython-78cb491de3726c35c799448dfb5c29e550c442a1.tar.gz cpython-78cb491de3726c35c799448dfb5c29e550c442a1.tar.bz2 | |
Merged revisions 66496 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk
........
r66496 | benjamin.peterson | 2008-09-17 20:22:16 -0500 (Wed, 17 Sep 2008) | 1 line
fix possible integer overflows in _hashopenssl #3886
........
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/_hashopenssl.c | 56 |
1 files changed, 43 insertions, 13 deletions
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c index c0f9a2c..1b3ac6d 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -19,6 +19,8 @@ /* EVP is the preferred interface to hashing in OpenSSL */ #include <openssl/evp.h> +#define MUNCH_SIZE INT_MAX + #ifndef HASH_OBJ_CONSTRUCTOR #define HASH_OBJ_CONSTRUCTOR 0 @@ -182,10 +184,17 @@ EVP_update(EVPobject *self, PyObject *args) return NULL; MY_GET_BUFFER_VIEW_OR_ERROUT(obj, &view); - - EVP_DigestUpdate(&self->ctx, (unsigned char*)view.buf, - Py_SAFE_DOWNCAST(view.len, Py_ssize_t, unsigned int)); - + if (view.len > 0 && view.len <= MUNCH_SIZE) { + EVP_DigestUpdate(&self->ctx, view.buf, view.len); + } else { + Py_ssize_t offset = 0, len = view.len; + while (len) { + unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; + EVP_DigestUpdate(&self->ctx, (unsigned char*)view.buf + offset, process); + len -= process; + offset += process; + } + } PyBuffer_Release(&view); Py_INCREF(Py_None); @@ -284,11 +293,21 @@ EVP_tp_init(EVPobject *self, PyObject *args, PyObject *kwds) Py_INCREF(self->name); if (data_obj) { - EVP_DigestUpdate(&self->ctx, (unsigned char*)view.buf, - Py_SAFE_DOWNCAST(view.len, Py_ssize_t, unsigned int)); + if (len > 0 && len <= MUNCH_SIZE) { + EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, + unsigned int)); + } else { + Py_ssize_t offset = 0, len = view.len; + while (len) { + unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; + EVP_DigestUpdate(&self->ctx, (unsigned char*)view.buf + offset, process); + len -= process; + offset += process; + } + } PyBuffer_Release(&view); } - + return 0; } #endif @@ -357,7 +376,7 @@ static PyTypeObject EVPtype = { static PyObject * EVPnew(PyObject *name_obj, const EVP_MD *digest, const EVP_MD_CTX *initial_ctx, - const unsigned char *cp, unsigned int len) + const unsigned char *cp, Py_ssize_t len) { EVPobject *self; @@ -375,8 +394,20 @@ EVPnew(PyObject *name_obj, EVP_DigestInit(&self->ctx, digest); } - if (cp && len) - EVP_DigestUpdate(&self->ctx, cp, len); + if (cp && len) { + if (len > 0 && len <= MUNCH_SIZE) { + EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, + unsigned int)); + } else { + Py_ssize_t offset = 0; + while (len) { + unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; + EVP_DigestUpdate(&self->ctx, cp + offset, process); + len -= process; + offset += process; + } + } + } return (PyObject *)self; } @@ -417,8 +448,7 @@ EVP_new(PyObject *self, PyObject *args, PyObject *kwdict) digest = EVP_get_digestbyname(name); - ret_obj = EVPnew(name_obj, digest, NULL, (unsigned char*)view.buf, - Py_SAFE_DOWNCAST(view.len, Py_ssize_t, unsigned int)); + ret_obj = EVPnew(name_obj, digest, NULL, (unsigned char*)view.buf, view.len); if (data_obj) PyBuffer_Release(&view); @@ -452,7 +482,7 @@ EVP_new(PyObject *self, PyObject *args, PyObject *kwdict) NULL, \ CONST_new_ ## NAME ## _ctx_p, \ (unsigned char*)view.buf, \ - Py_SAFE_DOWNCAST(view.len, Py_ssize_t, unsigned int)); \ + view.len); \ \ if (data_obj) \ PyBuffer_Release(&view); \ |