changeset:   90235:a8facac493ef
branch:      3.1
parent:      89608:23add5382fb3
user:        Benjamin Peterson <benjamin@python.org>
date:        Sun Apr 13 22:10:38 2014 -0400
files:       Lib/json/tests/test_decode.py Misc/ACKS Misc/NEWS Modules/_json.c
description:
in scan_once, prevent the reading of arbitrary memory when passed a negative index

Bug reported by Guido Vranken.


diff -r 23add5382fb3 -r a8facac493ef Lib/json/tests/test_decode.py
--- a/Lib/json/tests/test_decode.py	Wed Mar 12 18:05:53 2014 -0500
+++ b/Lib/json/tests/test_decode.py	Sun Apr 13 22:10:38 2014 -0400
@@ -45,5 +45,9 @@
         self.assertEqual(rval, {"key":"value", "k":"v"})
 
 
+    def test_negative_index(self):
+        d = self.json.JSONDecoder()
+        self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000)
+
 class TestPyDecode(TestDecode, PyTest): pass
 class TestCDecode(TestDecode, CTest): pass
diff -r 23add5382fb3 -r a8facac493ef Misc/ACKS
--- a/Misc/ACKS	Wed Mar 12 18:05:53 2014 -0500
+++ b/Misc/ACKS	Sun Apr 13 22:10:38 2014 -0400
@@ -842,6 +842,7 @@
 Kurt Vile
 Norman Vine
 Frank Visser
+Guido Vranken
 Niki W. Waibel
 Wojtek Walczak
 Charles Waldman
diff -r 23add5382fb3 -r a8facac493ef Misc/NEWS
--- a/Misc/NEWS	Wed Mar 12 18:05:53 2014 -0500
+++ b/Misc/NEWS	Sun Apr 13 22:10:38 2014 -0400
@@ -13,6 +13,9 @@
 Library
 -------
 
+- Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second
+  parameter. Bug reported by Guido Vranken.
+
 - Issue #20246: Fix buffer overflow in socket.recvfrom_into.
 
 - Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
diff -r 23add5382fb3 -r a8facac493ef Modules/_json.c
--- a/Modules/_json.c	Wed Mar 12 18:05:53 2014 -0500
+++ b/Modules/_json.c	Sun Apr 13 22:10:38 2014 -0400
@@ -902,7 +902,10 @@
     PyObject *res;
     Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
     Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
-    if (idx >= length) {
+    if (idx < 0)
+        /* Compatibility with Python version. */
+        idx += length;
+    if (idx < 0 || idx >= length) {
         PyErr_SetNone(PyExc_StopIteration);
         return NULL;
     }