- Issue python#2587: In the C API, PyString_FromStringAndSize() takes a signed size

doko42 · doko42 · commit b7cfda132406 · 2008-11-12T07:21:52.000Z
parameter but was not verifying that it was greater than zero. Values less than zero will now raise a SystemError and return NULL to indicate a bug in the calling C code. CVE-2008-1887. backport r62261, r62271
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -30,6 +30,11 @@ Core and builtins
 - Issues #2588, #2589: Fix potential integer underflow and overflow
   conditions in the PyOS_vsnprintf C API function. CVE-2008-3144.
 
+- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
+  parameter but was not verifying that it was greater than zero.  Values
+  less than zero will now raise a SystemError and return NULL to indicate a
+  bug in the calling C code. CVE-2008-1887.
+
 Extension Modules
 -----------------
 
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
@@ -52,6 +52,13 @@ PyObject *
 PyString_FromStringAndSize(const char *str, int size)
 {
 	register PyStringObject *op;
+
+	if (size < 0) {
+		PyErr_SetString(PyExc_SystemError,
+		    "Negative size passed to PyString_FromStringAndSize");
+		return NULL;
+	}
+
 	if (size == 0 && (op = nullstring) != NULL) {
 #ifdef COUNT_ALLOCS
 		null_strings++;
