mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-30 05:35:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Fix a nasty endcase reported by Armin Rigo in SF bug 618623:

Browse source 
'%2147483647d' % -123 segfaults.  This was because an integer overflow
in a comparison caused the string resize to be skipped.  After fixing
the overflow, this could call _PyString_Resize() with a negative size,
so I (1) test for that and raise MemoryError instead; (2) also added a
test for negative newsize to _PyString_Resize(), raising SystemError
as for all bad arguments.

An identical bug existed in unicodeobject.c, of course.

Will backport to 2.2.2.
This commit is contained in:
Guido van Rossum 2002-10-11 00:43:48 +00:00
parent f689b88e11
commit 049cd6b563
2 changed files with 12 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Objects/stringobject.c
View file

@ -3319,7 +3319,7 @@ _PyString_Resize(PyObject **pv, int newsize)
register PyObject *v; register PyObject *v;
register PyStringObject *sv; register PyStringObject *sv;
v = *pv; v = *pv;
if (!PyString_Check(v) || v->ob_refcnt != 1) { if (!PyString_Check(v) || v->ob_refcnt != 1 || newsize < 0) {
*pv = 0; *pv = 0;
Py_DECREF(v); Py_DECREF(v);
PyErr_BadInternalCall(); PyErr_BadInternalCall();
@ -3959,10 +3959,14 @@ PyString_Format(PyObject *format, PyObject *args)
} }
if (width < len) if (width < len)
width = len; width = len;
if (rescnt < width + (sign != 0)) { if (rescnt - (sign != 0) < width) {
reslen -= rescnt; reslen -= rescnt;
rescnt = width + fmtcnt + 100; rescnt = width + fmtcnt + 100;
reslen += rescnt; reslen += rescnt;
if (reslen < 0) {
Py_DECREF(result);
return PyErr_NoMemory();
}
if (_PyString_Resize(&result, reslen) < 0) if (_PyString_Resize(&result, reslen) < 0)
return NULL; return NULL;
res = PyString_AS_STRING(result) res = PyString_AS_STRING(result)

8
Objects/unicodeobject.c
View file

@ -261,7 +261,7 @@ int PyUnicode_Resize(PyObject **unicode,
return -1; return -1;
} }
v = (PyUnicodeObject *)*unicode; v = (PyUnicodeObject *)*unicode;
if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1) { if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1 || length < 0) {
PyErr_BadInternalCall(); PyErr_BadInternalCall();
return -1; return -1;
} }
@ -6483,10 +6483,14 @@ PyObject *PyUnicode_Format(PyObject *format,
} }
if (width < len) if (width < len)
width = len; width = len;
if (rescnt < width + (sign != 0)) { if (rescnt - (sign != 0) < width) {
reslen -= rescnt; reslen -= rescnt;
rescnt = width + fmtcnt + 100; rescnt = width + fmtcnt + 100;
reslen += rescnt; reslen += rescnt;
if (reslen < 0) {
Py_DECREF(result);
return PyErr_NoMemory();
}
if (_PyUnicode_Resize(&result, reslen) < 0) if (_PyUnicode_Resize(&result, reslen) < 0)
return NULL; return NULL;
res = PyUnicode_AS_UNICODE(result) res = PyUnicode_AS_UNICODE(result)