You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@thrift.apache.org by ro...@apache.org on 2015/06/03 11:47:07 UTC

thrift git commit: THRIFT-3175 python: fastbinary.c python deserialize can cause huge allocations from garbage

Repository: thrift
Updated Branches:
  refs/heads/master 56d38fb91 -> 7daf00ceb


THRIFT-3175 python: fastbinary.c python deserialize can cause huge allocations from garbage

define MAX_LIST_SIZE to be 10,000

Patch: Dvir Volk

This closes #511


Project: http://git-wip-us.apache.org/repos/asf/thrift/repo
Commit: http://git-wip-us.apache.org/repos/asf/thrift/commit/7daf00ce
Tree: http://git-wip-us.apache.org/repos/asf/thrift/tree/7daf00ce
Diff: http://git-wip-us.apache.org/repos/asf/thrift/diff/7daf00ce

Branch: refs/heads/master
Commit: 7daf00ceb1b6d52f7ab612b03f63907866381ff1
Parents: 56d38fb
Author: Roger Meier <ro...@apache.org>
Authored: Wed Jun 3 11:45:35 2015 +0200
Committer: Roger Meier <ro...@apache.org>
Committed: Wed Jun 3 11:45:35 2015 +0200

----------------------------------------------------------------------
 lib/py/src/protocol/fastbinary.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/thrift/blob/7daf00ce/lib/py/src/protocol/fastbinary.c
----------------------------------------------------------------------
diff --git a/lib/py/src/protocol/fastbinary.c b/lib/py/src/protocol/fastbinary.c
index 4133e98..93c4911 100644
--- a/lib/py/src/protocol/fastbinary.c
+++ b/lib/py/src/protocol/fastbinary.c
@@ -32,7 +32,7 @@
 # if defined(_MSC_VER) && _MSC_VER < 1600
    typedef int _Bool;
 #  define bool _Bool
-#  define false 0 
+#  define false 0
 #  define true 1
 # endif
 # define inline __inline
@@ -197,6 +197,21 @@ check_ssize_t_32(Py_ssize_t len) {
   return true;
 }
 
+#define MAX_LIST_SIZE (10000)
+
+static inline bool
+check_list_length(Py_ssize_t len) {
+  // error from getting the int
+  if (INT_CONV_ERROR_OCCURRED(len)) {
+    return false;
+  }
+  if (!CHECK_RANGE(len, 0, MAX_LIST_SIZE)) {
+    PyErr_SetString(PyExc_OverflowError, "list size out of the sanity limit (10000 items max)");
+    return false;
+  }
+  return true;
+}
+
 static inline bool
 parse_pyint(PyObject* o, int32_t* ret, int32_t min, int32_t max) {
   long val = PyInt_AsLong(o);
@@ -1028,7 +1043,7 @@ decode_val(DecodeBuffer* input, TType type, PyObject* typeargs) {
     }
 
     len = readI32(input);
-    if (!check_ssize_t_32(len)) {
+    if (!check_list_length(len)) {
       return NULL;
     }
 
@@ -1164,7 +1179,7 @@ decode_binary(PyObject *self, PyObject *args) {
   PyObject* typeargs = NULL;
   StructTypeArgs parsedargs;
   DecodeBuffer input = {0, 0};
-  
+
   if (!PyArg_ParseTuple(args, "OOO", &output_obj, &transport, &typeargs)) {
     return NULL;
   }