commit 168350cd9849b0ab56867c487cfd78ca68c2b228
author Tom Collins <tom.collins@digi.com> Thu May 25 13:53:49 2017 -0700
committer Paul Sokolovsky <pfalcon@users.sourceforge.net> Sun Aug 20 22:00:05 2017 +0300
tree 3f0afd3839162ded4c42a43f3a3dd5f40e1f0abd
parent 387a8d26f9b54b37928aa08641b159334b669219

py/objstringio: Prevent offset wraparound for io.BytesIO objects.

Too big positive, or too big negative offset values could lead to overflow
and address space wraparound and thus access to unrelated areas of memory
(a security issue).

py/objstringio.c

diff --git a/py/objstringio.c b/py/objstringio.c
index 046d325..cb8003b 100644
--- a/py/objstringio.c
+++ b/py/objstringio.c
@@ -125,8 +125,19 @@
                     ref = o->vstr->len;
                     break;
             }
-            o->pos = ref + s->offset;
-            s->offset = o->pos;
+            mp_uint_t new_pos = ref + s->offset;
+            if (s->offset < 0) {
+                if (new_pos > ref) {
+                    // Negative offset from SEEK_CUR or SEEK_END went past 0.
+                    // CPython sets position to 0, POSIX returns an EINVAL error
+                    new_pos = 0;
+                }
+            } else if (new_pos < ref) {
+                // positive offset went beyond the limit of mp_uint_t
+                *errcode = MP_EINVAL;  // replace with MP_EOVERFLOW when defined
+                return MP_STREAM_ERROR;
+            }
+            s->offset = o->pos = new_pos;
             return 0;
         }
         case MP_STREAM_FLUSH: