From 168350cd9849b0ab56867c487cfd78ca68c2b228 Mon Sep 17 00:00:00 2001
From: Tom Collins <tom.collins@digi.com>
Date: Thu, 25 May 2017 13:53:49 -0700
Subject: py/objstringio: Prevent offset wraparound for io.BytesIO objects.

Too big positive, or too big negative offset values could lead to overflow
and address space wraparound and thus access to unrelated areas of memory
(a security issue).
---
 py/objstringio.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/py/objstringio.c b/py/objstringio.c
index 046d325806..cb8003bcdd 100644
--- a/py/objstringio.c
+++ b/py/objstringio.c
@@ -125,8 +125,19 @@ STATIC mp_uint_t stringio_ioctl(mp_obj_t o_in, mp_uint_t request, uintptr_t arg,
                     ref = o->vstr->len;
                     break;
             }
-            o->pos = ref + s->offset;
-            s->offset = o->pos;
+            mp_uint_t new_pos = ref + s->offset;
+            if (s->offset < 0) {
+                if (new_pos > ref) {
+                    // Negative offset from SEEK_CUR or SEEK_END went past 0.
+                    // CPython sets position to 0, POSIX returns an EINVAL error
+                    new_pos = 0;
+                }
+            } else if (new_pos < ref) {
+                // positive offset went beyond the limit of mp_uint_t
+                *errcode = MP_EINVAL;  // replace with MP_EOVERFLOW when defined
+                return MP_STREAM_ERROR;
+            }
+            s->offset = o->pos = new_pos;
             return 0;
         }
         case MP_STREAM_FLUSH:
-- 
cgit v1.2.3