From 2ed6eb16b50df9dd228abf978337a687a68159c9 Mon Sep 17 00:00:00 2001 From: maurycy <5383+maurycy@users.noreply.github.com> Date: Fri, 24 Apr 2026 22:17:06 +0200 Subject: [PATCH 1/3] cannot be simpler? --- Modules/_remote_debugging/binary_io_reader.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Modules/_remote_debugging/binary_io_reader.c b/Modules/_remote_debugging/binary_io_reader.c index aca93e9cb1a30e..b64e94145937ef 100644 --- a/Modules/_remote_debugging/binary_io_reader.c +++ b/Modules/_remote_debugging/binary_io_reader.c @@ -24,6 +24,7 @@ /* File structure sizes */ #define FILE_FOOTER_SIZE 32 +#define SAMPLE_RECORD_HEADER_SIZE (sizeof(uint64_t) + sizeof(uint32_t) + 1) #define MIN_DECOMPRESS_BUFFER_SIZE (64 * 1024) /* Minimum decompression buffer */ /* Progress callback frequency */ @@ -258,7 +259,7 @@ reader_parse_string_table(BinaryReader *reader, const uint8_t *data, size_t file PyErr_SetString(PyExc_ValueError, "Malformed varint in string table"); return -1; } - if (offset + str_len > file_size) { + if (offset > file_size || str_len > file_size - offset) { PyErr_SetString(PyExc_ValueError, "String table overflow"); return -1; } @@ -976,8 +977,8 @@ binary_reader_replay(BinaryReader *reader, PyObject *collector, PyObject *progre } while (offset < reader->sample_data_size) { - /* Read thread_id (8 bytes) + interpreter_id (4 bytes) */ - if (offset + 13 > reader->sample_data_size) { + /* Read thread_id (8 bytes) + interpreter_id (4 bytes) + encoding byte */ + if (reader->sample_data_size - offset < SAMPLE_RECORD_HEADER_SIZE) { break; /* End of data */ } From 3538dc32cd2bc52d88f5551c4e3645d208d866bd Mon Sep 17 00:00:00 2001 From: maurycy <5383+maurycy@users.noreply.github.com> Date: Fri, 24 Apr 2026 23:15:45 +0200 Subject: [PATCH 2/3] blurb --- .../Security/2026-04-24-23-15-42.gh-issue-148252.8BLmzd.rst | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2026-04-24-23-15-42.gh-issue-148252.8BLmzd.rst diff --git a/Misc/NEWS.d/next/Security/2026-04-24-23-15-42.gh-issue-148252.8BLmzd.rst b/Misc/NEWS.d/next/Security/2026-04-24-23-15-42.gh-issue-148252.8BLmzd.rst new file mode 100644 index 00000000000000..f6aa08170ed555 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2026-04-24-23-15-42.gh-issue-148252.8BLmzd.rst @@ -0,0 +1,3 @@ +Fixed string table and sample record bounds checks in +:mod:`!_remote_debugging` when decoding certain ``.pyb`` inputs on 32 +builds. Patch by Maurycy Pawłowski-Wieroński. From 70e11ce32571a1770a46237ad96d68b8b8e3a2cc Mon Sep 17 00:00:00 2001 From: maurycy <5383+maurycy@users.noreply.github.com> Date: Fri, 24 Apr 2026 23:16:10 +0200 Subject: [PATCH 3/3] gqgq --- .../Security/2026-04-24-23-15-42.gh-issue-148252.8BLmzd.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Misc/NEWS.d/next/Security/2026-04-24-23-15-42.gh-issue-148252.8BLmzd.rst b/Misc/NEWS.d/next/Security/2026-04-24-23-15-42.gh-issue-148252.8BLmzd.rst index f6aa08170ed555..531ea2348ffdef 100644 --- a/Misc/NEWS.d/next/Security/2026-04-24-23-15-42.gh-issue-148252.8BLmzd.rst +++ b/Misc/NEWS.d/next/Security/2026-04-24-23-15-42.gh-issue-148252.8BLmzd.rst @@ -1,3 +1,3 @@ -Fixed string table and sample record bounds checks in -:mod:`!_remote_debugging` when decoding certain ``.pyb`` inputs on 32 -builds. Patch by Maurycy Pawłowski-Wieroński. +Fixed string table and sample record bounds checks in :mod:`!_remote_debugging` +when decoding certain ``.pyb`` inputs on 32-bit builds. Patch by Maurycy +Pawłowski-Wieroński.