Repository: thrift Updated Branches: refs/heads/master 56d38fb91 -> 7daf00ceb
THRIFT-3175 python: fastbinary.c python deserialize can cause huge allocations from garbage define MAX_LIST_SIZE to be 10,000 Patch: Dvir Volk This closes #511 Project: http://git-wip-us.apache.org/repos/asf/thrift/repo Commit: http://git-wip-us.apache.org/repos/asf/thrift/commit/7daf00ce Tree: http://git-wip-us.apache.org/repos/asf/thrift/tree/7daf00ce Diff: http://git-wip-us.apache.org/repos/asf/thrift/diff/7daf00ce Branch: refs/heads/master Commit: 7daf00ceb1b6d52f7ab612b03f63907866381ff1 Parents: 56d38fb Author: Roger Meier <[email protected]> Authored: Wed Jun 3 11:45:35 2015 +0200 Committer: Roger Meier <[email protected]> Committed: Wed Jun 3 11:45:35 2015 +0200 ---------------------------------------------------------------------- lib/py/src/protocol/fastbinary.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/thrift/blob/7daf00ce/lib/py/src/protocol/fastbinary.c ---------------------------------------------------------------------- diff --git a/lib/py/src/protocol/fastbinary.c b/lib/py/src/protocol/fastbinary.c index 4133e98..93c4911 100644 --- a/lib/py/src/protocol/fastbinary.c +++ b/lib/py/src/protocol/fastbinary.c @@ -32,7 +32,7 @@ # if defined(_MSC_VER) && _MSC_VER < 1600 typedef int _Bool; # define bool _Bool -# define false 0 +# define false 0 # define true 1 # endif # define inline __inline @@ -197,6 +197,21 @@ check_ssize_t_32(Py_ssize_t len) { return true; } +#define MAX_LIST_SIZE (10000) + +static inline bool +check_list_length(Py_ssize_t len) { + // error from getting the int + if (INT_CONV_ERROR_OCCURRED(len)) { + return false; + } + if (!CHECK_RANGE(len, 0, MAX_LIST_SIZE)) { + PyErr_SetString(PyExc_OverflowError, "list size out of the sanity limit (10000 items max)"); + return false; + } + return true; +} + static inline bool parse_pyint(PyObject* o, int32_t* ret, int32_t min, int32_t max) { long val = PyInt_AsLong(o); @@ -1028,7 +1043,7 @@ decode_val(DecodeBuffer* input, TType type, PyObject* typeargs) { } len = readI32(input); - if (!check_ssize_t_32(len)) { + if (!check_list_length(len)) { return NULL; } @@ -1164,7 +1179,7 @@ decode_binary(PyObject *self, PyObject *args) { PyObject* typeargs = NULL; StructTypeArgs parsedargs; DecodeBuffer input = {0, 0}; - + if (!PyArg_ParseTuple(args, "OOO", &output_obj, &transport, &typeargs)) { return NULL; }
