diff options
| author | Gregory P. Smith <greg@krypto.org> | 2022-09-05 09:21:03 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-05 09:21:03 (GMT) |
| commit | cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15 (patch) | |
| tree | e8c95e4984b8f9d67f78ecc425e839302aa4c87e /Parser | |
| parent | d348afa15d5a997e7a8e51c0f789f41cb15cc651 (diff) | |
| download | cpython-cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15.zip cpython-cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15.tar.gz cpython-cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15.tar.bz2 | |
[3.9] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96502)
* Correctly pre-check for int-to-str conversion (#96537)
Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)
The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.
The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```
In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$
From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
Diffstat (limited to 'Parser')
| -rw-r--r-- | Parser/pegen/pegen.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/Parser/pegen/pegen.c b/Parser/pegen/pegen.c index cdfbc12..15b06ce 100644 --- a/Parser/pegen/pegen.c +++ b/Parser/pegen/pegen.c @@ -967,6 +967,24 @@ _PyPegen_number_token(Parser *p) if (c == NULL) { p->error_indicator = 1; + PyObject *exc_type, *exc_value, *exc_tb; + PyErr_Fetch(&exc_type, &exc_value, &exc_tb); + // The only way a ValueError should happen in _this_ code is via + // PyLong_FromString hitting a length limit. + if (exc_type == PyExc_ValueError && exc_value != NULL) { + // The Fetch acted as PyErr_Clear(), we're replacing the exception. + Py_XDECREF(exc_tb); + Py_DECREF(exc_type); + RAISE_ERROR_KNOWN_LOCATION( + p, PyExc_SyntaxError, + t->lineno, 0 /* col_offset */, + "%S - Consider hexadecimal for huge integer literals " + "to avoid decimal conversion limits.", + exc_value); + Py_DECREF(exc_value); + } else { + PyErr_Restore(exc_type, exc_value, exc_tb); + } return NULL; } |