diff options
| author | Gregory P. Smith <gps@google.com> | 2022-09-02 16:35:08 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-02 16:35:08 (GMT) |
| commit | 511ca9452033ef95bc7d7fc404b8161068226002 (patch) | |
| tree | cefd49e0c9c75f912fa28d05eae15335273aaa8e /Parser/pegen.c | |
| parent | 656167db81a53934da55d90ed431449d8a4fc14b (diff) | |
| download | cpython-511ca9452033ef95bc7d7fc404b8161068226002.zip cpython-511ca9452033ef95bc7d7fc404b8161068226002.tar.gz cpython-511ca9452033ef95bc7d7fc404b8161068226002.tar.bz2 | |
gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499)
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.
This PR comes fresh from a pile of work done in our private PSRT security response team repo.
Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#). Much of that text wound up in the Issue. Backports PRs already exist. See the issue for links.
Diffstat (limited to 'Parser/pegen.c')
| -rw-r--r-- | Parser/pegen.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/Parser/pegen.c b/Parser/pegen.c index 31e3ec0..a5d123d 100644 --- a/Parser/pegen.c +++ b/Parser/pegen.c @@ -1,5 +1,6 @@ #include <Python.h> #include "pycore_ast.h" // _PyAST_Validate(), +#include "pycore_pystate.h" // _PyThreadState_GET() #include <errcode.h> #include "tokenizer.h" @@ -645,6 +646,28 @@ _PyPegen_number_token(Parser *p) if (c == NULL) { p->error_indicator = 1; + PyThreadState *tstate = _PyThreadState_GET(); + // The only way a ValueError should happen in _this_ code is via + // PyLong_FromString hitting a length limit. + if (tstate->curexc_type == PyExc_ValueError && + tstate->curexc_value != NULL) { + PyObject *type, *value, *tb; + // This acts as PyErr_Clear() as we're replacing curexc. + PyErr_Fetch(&type, &value, &tb); + Py_XDECREF(tb); + Py_DECREF(type); + /* Intentionally omitting columns to avoid a wall of 1000s of '^'s + * on the error message. Nobody is going to overlook their huge + * numeric literal once given the line. */ + RAISE_ERROR_KNOWN_LOCATION( + p, PyExc_SyntaxError, + t->lineno, -1 /* col_offset */, + t->end_lineno, -1 /* end_col_offset */, + "%S - Consider hexadecimal for huge integer literals " + "to avoid decimal conversion limits.", + value); + Py_DECREF(value); + } return NULL; } |