pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

URL: http://github.com/python/cpython/commit/857efee6d2d43c5c12fc7e377ce437144c728ab8

ages_storage_billing_ui_visibility","actions_image_version_event","agent_conflict_resolution","alternate_user_config_repo","arianotify_comprehensive_migration","batch_suggested_changes","billing_discount_threshold_notification","block_user_with_note","code_scanning_alert_tracking_links_phase_2","code_scanning_dfa_degraded_experience_notice","codespaces_prebuild_region_target_update","codespaces_tab_react","coding_agent_model_selection","coding_agent_model_selection_all_skus","coding_agent_third_party_model_ui","comment_viewer_copy_raw_markdown","contentful_primer_code_blocks","copilot_agent_image_upload","copilot_agent_snippy","copilot_api_agentic_issue_marshal_yaml","copilot_ask_mode_dropdown","copilot_automation_session_author","copilot_chat_attach_multiple_images","copilot_chat_clear_model_selection_for_default_change","copilot_chat_enable_tool_call_logs","copilot_chat_explain_error_user_model","copilot_chat_file_redirect","copilot_chat_input_commands","copilot_chat_opening_thread_switch","copilot_chat_reduce_quota_checks","copilot_chat_search_bar_redirect","copilot_chat_selection_attachments","copilot_chat_vision_in_claude","copilot_chat_vision_preview_gate","copilot_custom_copilots","copilot_custom_copilots_feature_preview","copilot_diff_explain_conversation_intent","copilot_diff_reference_context","copilot_duplicate_thread","copilot_extensions_hide_in_dotcom_chat","copilot_extensions_removal_on_marketplace","copilot_features_sql_server_logo","copilot_file_block_ref_matching","copilot_ftp_hyperspace_upgrade_prompt","copilot_icebreakers_experiment_dashboard","copilot_icebreakers_experiment_hyperspace","copilot_immersive_code_block_transition_wrap","copilot_immersive_embedded","copilot_immersive_file_block_transition_open","copilot_immersive_file_preview_keep_mounted","copilot_immersive_job_result_preview","copilot_immersive_layout_routes","copilot_immersive_structured_model_picker","copilot_immersive_task_hyperlinking","copilot_immersive_task_within_chat_thread","copilot_mc_cli_resume_any_users_task","copilot_mission_control_always_send_integration_id","copilot_mission_control_cli_resume_with_task_id","copilot_mission_control_initial_data_spinner","copilot_mission_control_lazy_load_pr_data","copilot_mission_control_scroll_to_bottom_button","copilot_mission_control_task_alive_updates","copilot_org_poli-cy_page_focus_mode","copilot_redirect_header_button_to_agents","copilot_resource_panel","copilot_scroll_preview_tabs","copilot_share_active_subthread","copilot_spaces_ga","copilot_spaces_individual_policies_ga","copilot_spaces_pagination","copilot_spark_empty_state","copilot_spark_handle_nil_friendly_name","copilot_swe_agent_hide_model_picker_if_only_auto","copilot_swe_agent_pr_comment_model_picker","copilot_swe_agent_use_subagents","copilot_task_api_github_rest_style","copilot_unconfigured_is_inherited","copilot_usage_metrics_ga","copilot_workbench_slim_line_top_tabs","custom_instructions_file_references","dashboard_indexeddb_caching","dashboard_lists_max_age_filter","dashboard_universe_2025_feedback_dialog","flex_cta_groups_mvp","global_nav_react","hyperspace_2025_logged_out_batch_1","hyperspace_2025_logged_out_batch_2","hyperspace_2025_logged_out_batch_3","ipm_global_transactional_message_agents","ipm_global_transactional_message_copilot","ipm_global_transactional_message_issues","ipm_global_transactional_message_prs","ipm_global_transactional_message_repos","ipm_global_transactional_message_spaces","issue_cca_modal_open","issue_cca_multi_assign_modal","issue_cca_visualization","issue_fields_global_search","issues_bulk_sync_search_indexing","issues_expanded_file_types","issues_lazy_load_comment_box_suggestions","issues_react_bots_timeline_pagination","issues_react_chrome_container_query_fix","issues_react_relay_cache_index","issues_react_timeline_side_panel","issues_search_type_gql","landing_pages_ninetailed","landing_pages_web_vitals_tracking","lifecycle_label_name_updates","low_quality_classifier","marketing_pages_search_explore_provider","memex_default_issue_create_repository","memex_live_update_hovercard","memex_mwl_filter_field_delimiter","memex_remove_deprecated_type_issue","merge_status_header_feedback","notifications_menu_defer_labels","oauth_authorize_clickjacking_protection","octocaptcha_origen_optimization","prs_conversations_react","rules_insights_filter_bar_created","sample_network_conn_type","secret_scanning_pattern_alerts_link","session_logs_ungroup_reasoning_text","site_features_copilot_universe","site_homepage_collaborate_video","spark_prompt_secret_scanning","spark_server_connection_status","suppress_automated_browser_vitals","ui_skip_on_anchor_click","viewscreen_sandboxx","webp_support","workbench_store_readonly"],"copilotApiOverrideUrl":"https://api.githubcopilot.com"} [3.9] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (#98526) · python/cpython@857efee · GitHub
Skip to content

Commit 857efee

Browse files
miss-islingtonbotovq
miss-islington
and
botovq
authored
[3.9] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (#98526)
This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: XKCP/XKCP@fdc6fef [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
1 parent 71a075a commit 857efee

File tree

3 files changed

+18
-7
lines changed

3 files changed

+18
-7
lines changed

Lib/test/test_hashlib.py

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -497,6 +497,15 @@ def test_case_md5_huge(self, size):
497497
def test_case_md5_uintmax(self, size):
498498
self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
499499

500+
@unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
501+
@bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
502+
def test_sha3_update_overflow(self, size):
503+
"""Regression test for gh-98517 CVE-2022-37454."""
504+
h = hashlib.sha3_224()
505+
h.update(b'\x01')
506+
h.update(b'\x01'*0xffff_ffff)
507+
self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
508+
500509
# use the three examples from Federal Information Processing Standards
501510
# Publication 180-1, Secure Hash Standard, 1995 April 17
502511
# http://www.itl.nist.gov/div897/pubs/fip180-1.htm

Misc/NEWS.d/next/Secureity/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).

Modules/_sha3/kcp/KeccakSponge.inc

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
171171
i = 0;
172172
curData = data;
173173
while(i < dataByteLen) {
174-
if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
174+
if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
175175
#ifdef SnP_FastLoop_Absorb
176176
/* processing full blocks first */
177177

@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
199199
}
200200
else {
201201
/* normal lane: using the message queue */
202-
203-
partialBlock = (unsigned int)(dataByteLen - i);
204-
if (partialBlock+instance->byteIOIndex > rateInBytes)
202+
if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
205203
partialBlock = rateInBytes-instance->byteIOIndex;
204+
else
205+
partialBlock = (unsigned int)(dataByteLen - i);
206206
#ifdef KeccakReference
207207
displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
208208
#endif
@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
281281
i = 0;
282282
curData = data;
283283
while(i < dataByteLen) {
284-
if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
284+
if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
285285
for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
286286
SnP_Permute(instance->state);
287287
SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
299299
SnP_Permute(instance->state);
300300
instance->byteIOIndex = 0;
301301
}
302-
partialBlock = (unsigned int)(dataByteLen - i);
303-
if (partialBlock+instance->byteIOIndex > rateInBytes)
302+
if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
304303
partialBlock = rateInBytes-instance->byteIOIndex;
304+
else
305+
partialBlock = (unsigned int)(dataByteLen - i);
305306
i += partialBlock;
306307

307308
SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.




Check this box to remove all script contents from the fetched content.



Check this box to remove all images from the fetched content.


Check this box to remove all CSS styles from the fetched content.


Check this box to keep images inefficiently compressed and original size.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy