[gentoo-portage-dev] [PATCH] lib/portage/util: fix bundled whirlpool on empty bytestring input - gentoo-portage-dev

From:	Thomas Bracht Laumann Jespersen <t@×××××××.xyz>
To:	gentoo-portage-dev@l.g.o
Cc:	Thomas Bracht Laumann Jespersen <t@×××××××.xyz>
Subject:	[gentoo-portage-dev] [PATCH] lib/portage/util: fix bundled whirlpool on empty bytestring input
Date:	Fri, 20 May 2022 11:37:46
Message-Id:	`20220520113742.5225-1-t@laumann.xyz`

1

The WhirlpoolAdd function did not consider zero-length input, so calls

2

to update(b'') would produce out-of-bounds errors. This was not covered

3

by any tests, because the constructor implicitly skipped the call to

4

update on zero-length input.

5

6

Add check for zero-length input to WhirlpoolAdd, and have the Whirlpool

7

constructor skip calling update() only if arg is None.

8

9

Closes: https://bugs.gentoo.org/846389

10

Signed-off-by: Thomas Bracht Laumann Jespersen <t@×××××××.xyz>

11

---

12

PR on github: https://github.com/gentoo/portage/pull/832

13

14

 lib/portage/util/whirlpool.py | 16 +++++++++++-----

15

 1 file changed, 11 insertions(+), 5 deletions(-)

16

17

diff --git a/lib/portage/util/whirlpool.py b/lib/portage/util/whirlpool.py

18

index de344d8eb..9178d70c7 100644

19

--- a/lib/portage/util/whirlpool.py

20

+++ b/lib/portage/util/whirlpool.py

21

@@ -37,11 +37,9 @@ class Whirlpool:

22

     may be provided; if present, this string will be automatically

23

     hashed."""

24

25

-    def __init__(self, arg=None):

26

+    def __init__(self, arg=b""):

27

         self.ctx = WhirlpoolStruct()

28

-        if arg:

29

-            self.update(arg)

30

-        self.digest_status = 0

31

+        self.update(arg)

32

33

     def update(self, arg):

34

         """update(arg)"""

35

@@ -71,7 +69,7 @@ class Whirlpool:

36

         return copy.deepcopy(self)

37

38

39

-def new(init=None):

40

+def new(init=b""):

41

     """Return a new Whirlpool object. An optional string argument

42

     may be provided; if present, this string will be automatically

43

     hashed."""

44

@@ -2183,6 +2181,8 @@ def WhirlpoolInit(ctx):

45

 def WhirlpoolAdd(source, sourceBits, ctx):

46

     if not isinstance(source, bytes):

47

         raise TypeError("Expected %s, got %s" % (bytes, type(source)))

48

+    if sourceBits == 0:

49

+        return

50

51

     carry = 0

52

     value = sourceBits

53

@@ -2350,3 +2350,9 @@ if __name__ == "__main__":

54

         Whirlpool(b"").hexdigest()

55

         == "19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3"

56

)

57

+    w = Whirlpool()

58

+    w.update(b"")

59

+    assert (

60

+        w.hexdigest()

61

+        == "19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3"

62

+    )

63

--

64

2.35.1

1	The WhirlpoolAdd function did not consider zero-length input, so calls
2	to update(b'') would produce out-of-bounds errors. This was not covered
3	by any tests, because the constructor implicitly skipped the call to
4	update on zero-length input.
5
6	Add check for zero-length input to WhirlpoolAdd, and have the Whirlpool
7	constructor skip calling update() only if arg is None.
8
9	Closes: https://bugs.gentoo.org/846389
10	Signed-off-by: Thomas Bracht Laumann Jespersen <t@×××××××.xyz>
11	---
12	PR on github: https://github.com/gentoo/portage/pull/832
13
14	lib/portage/util/whirlpool.py \| 16 +++++++++++-----
15	1 file changed, 11 insertions(+), 5 deletions(-)
16
17	diff --git a/lib/portage/util/whirlpool.py b/lib/portage/util/whirlpool.py
18	index de344d8eb..9178d70c7 100644
19	--- a/lib/portage/util/whirlpool.py
20	+++ b/lib/portage/util/whirlpool.py
21	@@ -37,11 +37,9 @@ class Whirlpool:
22	may be provided; if present, this string will be automatically
23	hashed."""
24
25	- def __init__(self, arg=None):
26	+ def __init__(self, arg=b""):
27	self.ctx = WhirlpoolStruct()
28	- if arg:
29	- self.update(arg)
30	- self.digest_status = 0
31	+ self.update(arg)
32
33	def update(self, arg):
34	"""update(arg)"""
35	@@ -71,7 +69,7 @@ class Whirlpool:
36	return copy.deepcopy(self)
37
38
39	-def new(init=None):
40	+def new(init=b""):
41	"""Return a new Whirlpool object. An optional string argument
42	may be provided; if present, this string will be automatically
43	hashed."""
44	@@ -2183,6 +2181,8 @@ def WhirlpoolInit(ctx):
45	def WhirlpoolAdd(source, sourceBits, ctx):
46	if not isinstance(source, bytes):
47	raise TypeError("Expected %s, got %s" % (bytes, type(source)))
48	+ if sourceBits == 0:
49	+ return
50
51	carry = 0
52	value = sourceBits
53	@@ -2350,3 +2350,9 @@ if __name__ == "__main__":
54	Whirlpool(b"").hexdigest()
55	== "19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3"
56	)
57	+ w = Whirlpool()
58	+ w.update(b"")
59	+ assert (
60	+ w.hexdigest()
61	+ == "19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3"
62	+ )
63	--
64	2.35.1

Gentoo Archives: gentoo-portage-dev