From 09bf7a799da7c8b7cdd0f9c5cd789769b8cab2d5 Mon Sep 17 00:00:00 2001 From: Jesus Cea Date: Wed, 3 Oct 2012 02:13:05 +0200 Subject: [PATCH] Closes #15897: zipimport.c doesn't check return value of fseek() --- Misc/ACKS | 1 + Misc/NEWS | 3 +++ Modules/zipimport.c | 43 ++++++++++++++++++++++++++++++++++++------- 3 files changed, 40 insertions(+), 7 deletions(-) diff --git a/Misc/ACKS b/Misc/ACKS index 85190297844..46016e2c3e2 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -227,6 +227,7 @@ Christopher A. Craig Jeremy Craven Laura Creighton Simon Cross +Felipe Cruz Drew Csillag Joaquin Cuenca Abela John Cugini diff --git a/Misc/NEWS b/Misc/NEWS index a676f3eccf1..e7fc4f8ea4e 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -49,6 +49,9 @@ Core and Builtins - Issue #15020: The program name used to search for Python's path is now "python3" under Unix, not "python". +- Issue #15897: zipimport.c doesn't check return value of fseek(). + Patch by Felipe Cruz. + - Issue #15033: Fix the exit status bug when modules invoked using -m swith, return the proper failure return value (1). Patch contributed by Jeff Knupp. diff --git a/Modules/zipimport.c b/Modules/zipimport.c index d8c3d8ab299..d4e49276d2a 100644 --- a/Modules/zipimport.c +++ b/Modules/zipimport.c @@ -741,7 +741,12 @@ read_directory(PyObject *archive_obj) PyErr_Format(ZipImportError, "can't open Zip file: '%U'", archive_obj); return NULL; } - fseek(fp, -22, SEEK_END); + + if (fseek(fp, -22, SEEK_END) == -1) { + fclose(fp); + PyErr_Format(ZipImportError, "can't read Zip file: %R", archive); + return NULL; + } header_position = ftell(fp); if (fread(endof_central_dir, 1, 22, fp) != 22) { fclose(fp); @@ -773,11 +778,13 @@ read_directory(PyObject *archive_obj) PyObject *t; int err; - fseek(fp, header_offset, 0); /* Start of file header */ + if (fseek(fp, header_offset, 0) == -1) /* Start of file header */ + goto fseek_error; l = PyMarshal_ReadLongFromFile(fp); if (l != 0x02014B50) break; /* Bad: Central Dir File Header */ - fseek(fp, header_offset + 8, 0); + if (fseek(fp, header_offset + 8, 0) == -1) + goto fseek_error; flags = (unsigned short)PyMarshal_ReadShortFromFile(fp); compress = PyMarshal_ReadShortFromFile(fp); time = PyMarshal_ReadShortFromFile(fp); @@ -789,7 +796,8 @@ read_directory(PyObject *archive_obj) header_size = 46 + name_size + PyMarshal_ReadShortFromFile(fp) + PyMarshal_ReadShortFromFile(fp); - fseek(fp, header_offset + 42, 0); + if (fseek(fp, header_offset + 42, 0) == -1) + goto fseek_error; file_offset = PyMarshal_ReadLongFromFile(fp) + arc_offset; if (name_size > MAXPATHLEN) name_size = MAXPATHLEN; @@ -849,6 +857,12 @@ read_directory(PyObject *archive_obj) PySys_FormatStderr("# zipimport: found %ld names in %U\n", count, archive_obj); return files; +fseek_error: + fclose(fp); + Py_XDECREF(files); + Py_XDECREF(nameobj); + PyErr_Format(ZipImportError, "can't read Zip file: %R", archive); + return NULL; error: fclose(fp); Py_XDECREF(files); @@ -918,7 +932,12 @@ get_data(PyObject *archive, PyObject *toc_entry) } /* Check to make sure the local file header is correct */ - fseek(fp, file_offset, 0); + if (fseek(fp, file_offset, 0) == -1) { + fclose(fp); + PyErr_Format(ZipImportError, "can't read Zip file: %R", archive); + return NULL; + } + l = PyMarshal_ReadLongFromFile(fp); if (l != 0x04034B50) { /* Bad: Local File Header */ @@ -928,7 +947,12 @@ get_data(PyObject *archive, PyObject *toc_entry) fclose(fp); return NULL; } - fseek(fp, file_offset + 26, 0); + if (fseek(fp, file_offset + 26, 0) == -1) { + fclose(fp); + PyErr_Format(ZipImportError, "can't read Zip file: %R", archive); + return NULL; + } + l = 30 + PyMarshal_ReadShortFromFile(fp) + PyMarshal_ReadShortFromFile(fp); /* local header size */ file_offset += l; /* Start of file data */ @@ -945,8 +969,13 @@ get_data(PyObject *archive, PyObject *toc_entry) buf = PyBytes_AsString(raw_data); err = fseek(fp, file_offset, 0); - if (err == 0) + if (err == 0) { bytes_read = fread(buf, 1, data_size, fp); + } else { + fclose(fp); + PyErr_Format(ZipImportError, "can't read Zip file: %R", archive); + return NULL; + } fclose(fp); if (err || bytes_read != data_size) { PyErr_SetString(PyExc_IOError,