Skip to content

gh-145883: Fix two heap-buffer-overflows in _zoneinfo #145885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
StanFromIreland wants to merge 7 commits into
base: main
Choose a base branch
from
+44 −3
Open

gh-145883: Fix two heap-buffer-overflows in _zoneinfo #145885

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
b764373
Fix two heap-buffer-overflows in `zoneinfo`
StanFromIreland Mar 12, 2026
0f27a07
Mimize testcase + blurb
StanFromIreland Mar 12, 2026
bf3f3a5
Add zoneinfo to compute-changes.py
StanFromIreland Mar 12, 2026
eacad9a
Change test + simplify check.
StanFromIreland Mar 16, 2026
f13b289
Move check
StanFromIreland Mar 18, 2026
1ae5455
Remvoe .gittattributes changes
StanFromIreland Mar 31, 2026
5ac2687
Merge branch 'main' into zoneinfo-overflows
StanFromIreland Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions Lib/test/test_zoneinfo/test_zoneinfo.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,38 @@ def test_empty_zone(self):
with self.assertRaises(ValueError):
self.klass.from_file(zf)

def test_invalid_transition_index(self):
STD = ZoneOffset("STD", ZERO)
DST = ZoneOffset("DST", ONE_H, ONE_H)

zf = self.construct_zone([
ZoneTransition(datetime(2026, 3, 1, 2), STD, DST),
ZoneTransition(datetime(2026, 11, 1, 2), DST, STD),
], after="", version=1)

data = bytearray(zf.read())
timecnt = struct.unpack_from(">l", data, 32)[0]
idx_offset = 44 + timecnt * 4
data[idx_offset + 1] = 2 # typecnt is 2, so index 2 is OOB
f = io.BytesIO(bytes(data))

with self.assertRaises(ValueError):
self.klass.from_file(f)

def test_transition_lookahead_out_of_bounds(self):
STD = ZoneOffset("STD", ZERO)
DST = ZoneOffset("DST", ONE_H, ONE_H)
EXT = ZoneOffset("EXT", ONE_H)

zf = self.construct_zone([
ZoneTransition(datetime(2026, 3, 1), STD, DST),
ZoneTransition(datetime(2026, 6, 1), DST, EXT),
ZoneTransition(datetime(2026, 9, 1), EXT, DST),
], after="")

zi = self.klass.from_file(zf)
self.assertIsNotNone(zi)

def test_zone_very_large_timestamp(self):
"""Test when a transition is in the far past or future.

Expand Down
4 changes: 4 additions & 0 deletions Lib/zoneinfo/_common.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ def load_data(fobj):
f">{timecnt}{time_type}", fobj.read(timecnt * time_size)
)
trans_idx = struct.unpack(f">{timecnt}B", fobj.read(timecnt))

if max(trans_idx) >= typecnt:
raise ValueError("Invalid transition index found while reading TZif: "
f"{max(trans_idx)}")
else:
trans_list_utc = ()
trans_idx = ()
Expand Down
2 changes: 1 addition & 1 deletion Lib/zoneinfo/_zoneinfo.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -338,7 +338,7 @@ def _utcoff_to_dstoff(trans_idx, utcoffsets, isdsts):
if not isdsts[comp_idx]:
dstoff = utcoff - utcoffsets[comp_idx]

if not dstoff and idx < (typecnt - 1):
if not dstoff and idx < (typecnt - 1) and i + 1 < len(trans_idx):
comp_idx = trans_idx[i + 1]

# If the following transition is also DST and we couldn't
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2026-03-12-21-01-48.gh-issue-145883.lUvXcc.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
:mod:`zoneinfo`: Fix heap buffer overflow reads from malformed TZif data.
Found by OSS Fuzz, issues :oss-fuzz:`492245058` and :oss-fuzz:`492230068`.
4 changes: 2 additions & 2 deletions Modules/_zoneinfo.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1075,7 +1075,7 @@ load_data(zoneinfo_state *state, PyZoneInfo_ZoneInfo *self, PyObject *file_obj)
}

trans_idx[i] = (size_t)cur_trans_idx;
if (trans_idx[i] > self->num_ttinfos) {
if (trans_idx[i] >= self->num_ttinfos) {
PyErr_Format(
PyExc_ValueError,
"Invalid transition index found while reading TZif: %zd",
Expand Down Expand Up @@ -2081,7 +2081,7 @@ utcoff_to_dstoff(size_t *trans_idx, long *utcoffs, long *dstoffs,
dstoff = utcoff - utcoffs[comp_idx];
}

if (!dstoff && idx < (num_ttinfos - 1)) {
if (!dstoff && idx < (num_ttinfos - 1) && i + 1 < num_transitions) {
comp_idx = trans_idx[i + 1];

// If the following transition is also DST and we couldn't find
Expand Down
3 changes: 3 additions & 0 deletions Tools/build/compute-changes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,9 @@
Path("Modules/pyexpat.c"),
# zipfile
Path("Lib/zipfile/"),
# zoneinfo
Path("Lib/zoneinfo/"),
Path("Modules/_zoneinfo.c"),
Comment on lines +102 to +104
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is it about? How is this list use and why these additions are necessary?

Copy link
Copy Markdown
Member Author

@StanFromIreland StanFromIreland Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the list of files that triggers CIFuzz, we started fuzzing zoneinfo (which found one of the two bugs the following day) in python/library-fuzzers@eb273d5. It's not related to the issue, but it's so small I think including it here is fine.

})


Expand Down
Loading