Fix Python CVE-2017-1000158

Change-Id: Id686120f85d44c8a0d65ae8683bcb7ed6e42854b

2 files changed, 63 insertions, 0 deletions

diff --git a/external/python3/UnpackedTarball_python3.mk b/external/python3/UnpackedTarball_python3.mk
index 35d6e643a1b0..9ed7a1ccce38 100644
--- a/external/python3/UnpackedTarball_python3.mk
+++ b/external/python3/UnpackedTarball_python3.mk
@@ -26,6 +26,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,python3,\
 	external/python3/python-3.3.5-pyexpat-symbols.patch.1 \
 	external/python3/ubsan.patch.0 \
 	external/python3/python-3.5.tweak.strip.soabi.patch \
+	external/python3/python-3.5.5-CVE-2017-1000158.patch.1 \
 ))
 
 ifneq ($(filter DRAGONFLY FREEBSD LINUX NETBSD OPENBSD SOLARIS,$(OS)),)
diff --git a/external/python3/python-3.5.5-CVE-2017-1000158.patch.1 b/external/python3/python-3.5.5-CVE-2017-1000158.patch.1
new file mode 100644
index 000000000000..9bd472fd713d
--- /dev/null
+++ b/external/python3/python-3.5.5-CVE-2017-1000158.patch.1
@@ -0,0 +1,62 @@
+From fd8614c5c5466a14a945db5b059c10c0fb8f76d9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Fri, 8 Dec 2017 22:34:12 +0100
+Subject: [PATCH] bpo-30657: Fix CVE-2017-1000158 (#4664)
+
+Fixes possible integer overflow in PyBytes_DecodeEscape.
+
+Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>
+---
+ Misc/ACKS                                                         | 2 ++
+ .../NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst | 2 ++
+ Objects/bytesobject.c                                             | 8 +++++++-
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst
+
+diff --git a/Misc/ACKS b/Misc/ACKS
+index fbf110d801b5..1a35aad66ce7 100644
+--- a/Misc/ACKS
++++ b/Misc/ACKS
+@@ -167,6 +167,7 @@ Médéric Boquien
+ Matias Bordese
+ Jonas Borgström
+ Jurjen Bos
++Jay Bosamiya
+ Peter Bosch
+ Dan Boswell
+ Eric Bouck
+@@ -651,6 +652,7 @@ Ken Howard
+ Brad Howes
+ Mike Hoy
+ Ben Hoyt
++Miro Hrončok
+ Chiu-Hsiang Hsu
+ Chih-Hao Huang
+ Christian Hudon
+diff --git a/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst
+new file mode 100644
+index 000000000000..75359b6d8833
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst
+@@ -0,0 +1,2 @@
++Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158.
++Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok.
+diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
+index 77dd45e84af8..9b29dc38b44f 100644
+--- a/Objects/bytesobject.c
++++ b/Objects/bytesobject.c
+@@ -970,7 +970,13 @@ PyObject *PyBytes_DecodeEscape(const char *s,
+     char *p, *buf;
+     const char *end;
+     PyObject *v;
+-    Py_ssize_t newlen = recode_encoding ? 4*len:len;
++    Py_ssize_t newlen;
++    /* Check for integer overflow */
++    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
++        PyErr_SetString(PyExc_OverflowError, "string is too large");
++        return NULL;
++    }
++    newlen = recode_encoding ? 4*len:len;
+     v = PyBytes_FromStringAndSize((char *)NULL, newlen);
+     if (v == NULL)
+         return NULL;