add patches from upstream svn rev.65333, fix integer overflows in

memory allocation (CVE-2008-2315)

9 files changed, 273 insertions, 3 deletions

diff --git a/lang/python24/Makefile b/lang/python24/Makefile
index e4dc5d65048..1b28e0f0ad0 100644
--- a/lang/python24/Makefile
+++ b/lang/python24/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.44 2008/07/14 14:42:51 joerg Exp $
+# $NetBSD: Makefile,v 1.45 2008/08/05 10:13:34 drochner Exp $
 
 DISTNAME=	Python-2.4.5
 PKGNAME=	python24-2.4.5
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	lang python
 MASTER_SITES=	http://www.python.org/ftp/python/2.4.5/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/lang/python24/distinfo b/lang/python24/distinfo
index 133932011b4..7c304c1a51f 100644
--- a/lang/python24/distinfo
+++ b/lang/python24/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2008/04/11 10:44:08 drochner Exp $
+$NetBSD: distinfo,v 1.29 2008/08/05 10:13:34 drochner Exp $
 
 SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107
 RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097
@@ -23,3 +23,10 @@ SHA1 (patch-aq) = 10f1964892763e0d1b2345bd053d7929dd4b317e
 SHA1 (patch-ar) = f132998e3e81f3093f9bddf32fe6dcb40fcfa76f
 SHA1 (patch-at) = 9d66115cc561c99dcc3478678aa286c1c0c3df6b
 SHA1 (patch-au) = d0a234efabe7d6a1f2b1dcbf26780fdc6b452214
+SHA1 (patch-ba) = c9b88da8efc334771eff578585e2e9e7e21a0634
+SHA1 (patch-bb) = 89829819c5a38f3bbd8be1737568f87b9ffbd598
+SHA1 (patch-bc) = e72dc346087f78760e623344e9eff147283c202c
+SHA1 (patch-bd) = f760e4995888e22997d27598872fcf25cb89cbfe
+SHA1 (patch-be) = ce192dc8ec7b53b691288f1fecc8abbd9b61e9ea
+SHA1 (patch-bf) = c0ae4152a0991d1c814462a5a8e925c9a9a6c254
+SHA1 (patch-bg) = 30a6d65a10bc0e6df5229635ad89a27e1093a347
diff --git a/lang/python24/patches/patch-ba b/lang/python24/patches/patch-ba
new file mode 100644
index 00000000000..3a4c47fe2d4
--- /dev/null
+++ b/lang/python24/patches/patch-ba
@@ -0,0 +1,25 @@
+$NetBSD: patch-ba,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Modules/gcmodule.c.orig	2006-09-28 19:08:01.000000000 +0200
++++ Modules/gcmodule.c
+@@ -1249,7 +1249,10 @@ PyObject *
+ _PyObject_GC_Malloc(size_t basicsize)
+ {
+ 	PyObject *op;
+-	PyGC_Head *g = PyObject_MALLOC(sizeof(PyGC_Head) + basicsize);
++	PyGC_Head *g;
++ 	if (basicsize > INT_MAX - sizeof(PyGC_Head))
++ 		return PyErr_NoMemory();
++	g = PyObject_MALLOC(sizeof(PyGC_Head) + basicsize);
+ 	if (g == NULL)
+ 		return PyErr_NoMemory();
+ 	g->gc.gc_refs = GC_UNTRACKED;
+@@ -1291,6 +1294,8 @@ _PyObject_GC_Resize(PyVarObject *op, int
+ {
+ 	const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems);
+ 	PyGC_Head *g = AS_GC(op);
++ 	if (basicsize > INT_MAX - sizeof(PyGC_Head))
++ 		return (PyVarObject *)PyErr_NoMemory();
+ 	g = PyObject_REALLOC(g,  sizeof(PyGC_Head) + basicsize);
+ 	if (g == NULL)
+ 		return (PyVarObject *)PyErr_NoMemory();
diff --git a/lang/python24/patches/patch-bb b/lang/python24/patches/patch-bb
new file mode 100644
index 00000000000..7e6baf459ea
--- /dev/null
+++ b/lang/python24/patches/patch-bb
@@ -0,0 +1,13 @@
+$NetBSD: patch-bb,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Modules/mmapmodule.c.orig	2008-08-05 12:00:52.000000000 +0200
++++ Modules/mmapmodule.c
+@@ -223,7 +223,7 @@ mmap_read_method(mmap_object *self,
+ 		return(NULL);
+ 
+ 	/* silently 'adjust' out-of-range requests */
+-	if ((self->pos + num_bytes) > self->size) {
++	if (num_bytes > self->size - self->pos) {
+ 		num_bytes -= (self->pos+num_bytes) - self->size;
+ 	}
+ 	result = Py_BuildValue("s#", self->data+self->pos, num_bytes);
diff --git a/lang/python24/patches/patch-bc b/lang/python24/patches/patch-bc
new file mode 100644
index 00000000000..f23f91f370c
--- /dev/null
+++ b/lang/python24/patches/patch-bc
@@ -0,0 +1,33 @@
+$NetBSD: patch-bc,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Modules/stropmodule.c.orig	2008-03-02 20:20:32.000000000 +0100
++++ Modules/stropmodule.c
+@@ -214,6 +214,13 @@ strop_joinfields(PyObject *self, PyObjec
+ 				return NULL;
+ 			}
+ 			slen = PyString_GET_SIZE(item);
++			if (slen > INT_MAX - reslen ||
++			    seplen > INT_MAX - reslen - seplen) {
++				PyErr_SetString(PyExc_OverflowError,
++						"input too long");
++				Py_DECREF(res);
++				return NULL;
++			}
+ 			while (reslen + slen + seplen >= sz) {
+ 				if (_PyString_Resize(&res, sz * 2) < 0)
+ 					return NULL;
+@@ -251,6 +258,14 @@ strop_joinfields(PyObject *self, PyObjec
+ 			return NULL;
+ 		}
+ 		slen = PyString_GET_SIZE(item);
++		if (slen > INT_MAX - reslen ||
++		    seplen > INT_MAX - reslen - seplen) {
++			PyErr_SetString(PyExc_OverflowError,
++					"input too long");
++			Py_DECREF(res);
++			Py_XDECREF(item);
++			return NULL;
++		}
+ 		while (reslen + slen + seplen >= sz) {
+ 			if (_PyString_Resize(&res, sz * 2) < 0) {
+ 				Py_DECREF(item);
diff --git a/lang/python24/patches/patch-bd b/lang/python24/patches/patch-bd
new file mode 100644
index 00000000000..14abc020380
--- /dev/null
+++ b/lang/python24/patches/patch-bd
@@ -0,0 +1,15 @@
+$NetBSD: patch-bd,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Objects/bufferobject.c.orig	2008-03-02 20:20:32.000000000 +0100
++++ Objects/bufferobject.c
+@@ -384,6 +384,10 @@ buffer_repeat(PyBufferObject *self, int 
+ 		count = 0;
+ 	if (!get_buf(self, &ptr, &size))
+ 		return NULL;
++	if (count > INT_MAX / size) {
++		PyErr_SetString(PyExc_MemoryError, "result too large");
++		return NULL;
++	}
+ 	ob = PyString_FromStringAndSize(NULL, size * count);
+ 	if ( ob == NULL )
+ 		return NULL;
diff --git a/lang/python24/patches/patch-be b/lang/python24/patches/patch-be
new file mode 100644
index 00000000000..f76f00086b2
--- /dev/null
+++ b/lang/python24/patches/patch-be
@@ -0,0 +1,44 @@
+$NetBSD: patch-be,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Objects/stringobject.c.orig	2006-10-06 21:26:14.000000000 +0200
++++ Objects/stringobject.c
+@@ -69,6 +69,11 @@ PyString_FromStringAndSize(const char *s
+ 		return (PyObject *)op;
+ 	}
+ 
++	if (size > INT_MAX - sizeof(PyStringObject)) {
++		PyErr_SetString(PyExc_OverflowError, "string is too large");
++		return NULL;
++	}
++
+ 	/* Inline PyObject_NewVar */
+ 	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+ 	if (op == NULL)
+@@ -104,7 +109,7 @@ PyString_FromString(const char *str)
+ 
+ 	assert(str != NULL);
+ 	size = strlen(str);
+-	if (size > INT_MAX) {
++	if (size > INT_MAX - sizeof(PyStringObject)) {
+ 		PyErr_SetString(PyExc_OverflowError,
+ 			"string is too long for a Python string");
+ 		return NULL;
+@@ -907,7 +912,18 @@ string_concat(register PyStringObject *a
+ 		Py_INCREF(a);
+ 		return (PyObject *)a;
+ 	}
++	/* Check that string sizes are not negative, to prevent an
++	   overflow in cases where we are passed incorrectly-created
++	   strings with negative lengths (due to a bug in other code).
++	*/
+ 	size = a->ob_size + b->ob_size;
++	if (a->ob_size < 0 || b->ob_size < 0 ||
++	    a->ob_size > INT_MAX - b->ob_size) {
++		PyErr_SetString(PyExc_OverflowError,
++				"strings are too large to concat");
++		return NULL;
++	}
++
+ 	/* Inline PyObject_NewVar */
+ 	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+ 	if (op == NULL)
diff --git a/lang/python24/patches/patch-bf b/lang/python24/patches/patch-bf
new file mode 100644
index 00000000000..28e193d7827
--- /dev/null
+++ b/lang/python24/patches/patch-bf
@@ -0,0 +1,19 @@
+$NetBSD: patch-bf,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Objects/tupleobject.c.orig	2006-03-17 20:04:15.000000000 +0100
++++ Objects/tupleobject.c
+@@ -60,11 +60,12 @@ PyTuple_New(register int size)
+ 		int nbytes = size * sizeof(PyObject *);
+ 		/* Check for overflow */
+ 		if (nbytes / sizeof(PyObject *) != (size_t)size ||
+-		    (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
+-		    <= 0)
++		    (nbytes > INT_MAX - sizeof(PyTupleObject) - sizeof(PyObject *)))
+ 		{
+ 			return PyErr_NoMemory();
+ 		}
++		nbytes += sizeof(PyTupleObject) - sizeof(PyObject *);
++
+ 		op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
+ 		if (op == NULL)
+ 			return NULL;
diff --git a/lang/python24/patches/patch-bg b/lang/python24/patches/patch-bg
new file mode 100644
index 00000000000..17dea7b6f6d
--- /dev/null
+++ b/lang/python24/patches/patch-bg
@@ -0,0 +1,114 @@
+$NetBSD: patch-bg,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Objects/unicodeobject.c.orig	2006-10-05 20:08:58.000000000 +0200
++++ Objects/unicodeobject.c
+@@ -186,6 +186,11 @@ PyUnicodeObject *_PyUnicode_New(int leng
+         return unicode_empty;
+     }
+ 
++    /* Ensure we won't overflow the size. */
++    if (length > ((INT_MAX / sizeof(Py_UNICODE)) - 1)) {
++        return (PyUnicodeObject *)PyErr_NoMemory();
++    }
++
+     /* Unicode freelist & memory allocation */
+     if (unicode_freelist) {
+         unicode = unicode_freelist;
+@@ -1040,6 +1045,9 @@ PyObject *PyUnicode_EncodeUTF7(const Py_
+     char * out;
+     char * start;
+ 
++    if (cbAllocated / 5 != size)
++        return PyErr_NoMemory();
++
+     if (size == 0)
+ 		return PyString_FromStringAndSize(NULL, 0);
+ 
+@@ -1638,6 +1646,7 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *
+ {
+     PyObject *v;
+     unsigned char *p;
++    int nsize, bytesize;
+ #ifdef Py_UNICODE_WIDE
+     int i, pairs;
+ #else
+@@ -1662,8 +1671,15 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *
+ 	if (s[i] >= 0x10000)
+ 	    pairs++;
+ #endif
+-    v = PyString_FromStringAndSize(NULL,
+-		  2 * (size + pairs + (byteorder == 0)));
++    /* 2 * (size + pairs + (byteorder == 0)) */
++    if (size > INT_MAX ||
++	size > INT_MAX - pairs - (byteorder == 0))
++	return PyErr_NoMemory();
++    nsize = (size + pairs + (byteorder == 0));
++    bytesize = nsize * 2;
++    if (bytesize / 2 != nsize)
++	return PyErr_NoMemory();
++    v = PyString_FromStringAndSize(NULL, bytesize);
+     if (v == NULL)
+         return NULL;
+ 
+@@ -1977,6 +1993,11 @@ PyObject *unicodeescape_string(const Py_
+     char *p;
+ 
+     static const char *hexdigit = "0123456789abcdef";
++#ifdef Py_UNICODE_WIDE
++    const int expandsize = 10;
++#else
++    const int expandsize = 6;
++#endif
+ 
+     /* Initial allocation is based on the longest-possible unichr
+        escape.
+@@ -1992,13 +2013,12 @@ PyObject *unicodeescape_string(const Py_
+        escape.
+     */
+ 
++    if (size > (INT_MAX - 2 - 1) / expandsize)
++	return PyErr_NoMemory();
++
+     repr = PyString_FromStringAndSize(NULL,
+         2
+-#ifdef Py_UNICODE_WIDE
+-        + 10*size
+-#else
+-        + 6*size
+-#endif
++        + expandsize*size
+         + 1);
+     if (repr == NULL)
+         return NULL;
+@@ -2239,12 +2259,16 @@ PyObject *PyUnicode_EncodeRawUnicodeEsca
+     char *q;
+ 
+     static const char *hexdigit = "0123456789abcdef";
+-
+ #ifdef Py_UNICODE_WIDE
+-    repr = PyString_FromStringAndSize(NULL, 10 * size);
++    const int expandsize = 10;
+ #else
+-    repr = PyString_FromStringAndSize(NULL, 6 * size);
++    const int expandsize = 6;
+ #endif
++    
++    if (size > INT_MAX / expandsize)
++	return PyErr_NoMemory();
++    
++    repr = PyString_FromStringAndSize(NULL, expandsize * size);
+     if (repr == NULL)
+         return NULL;
+     if (size == 0)
+@@ -4289,6 +4313,11 @@ PyUnicodeObject *pad(PyUnicodeObject *se
+         return self;
+     }
+ 
++    if (left > INT_MAX - self->length ||
++	right > INT_MAX - (left + self->length)) {
++        PyErr_SetString(PyExc_OverflowError, "padded string is too long");
++        return NULL;
++    }
+     u = _PyUnicode_New(left + self->length + right);
+     if (u) {
+         if (left)