mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-31 05:58:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

bpo-34087: Fix buffer overflow in int(s) and similar functions (GH-8274)

Browse source 
`_PyUnicode_TransformDecimalAndSpaceToASCII()` missed trailing NUL char.
It caused buffer overflow in `_Py_string_to_number_with_underscores()`.

This bug is introduced in 9b6c60cb.
This commit is contained in:
INADA Naoki 2018-07-14 12:06:43 +09:00 committed by GitHub
parent cafaf0447b
commit 16dfca4d82
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Lib/test/test_complex.py
View file

@ -345,6 +345,9 @@ class ComplexTest(unittest.TestCase):
self.assertEqual(type(complex("1"*500)), complex) self.assertEqual(type(complex("1"*500)), complex)
# check whitespace processing # check whitespace processing
self.assertEqual(complex('\N{EM SPACE}(\N{EN SPACE}1+1j ) '), 1+1j) self.assertEqual(complex('\N{EM SPACE}(\N{EN SPACE}1+1j ) '), 1+1j)
# Invalid unicode string
# See bpo-34087
self.assertRaises(ValueError, complex, '\u3053\u3093\u306b\u3061\u306f')
class EvilExc(Exception): class EvilExc(Exception):
pass pass

3
Lib/test/test_float.py
View file

@ -60,6 +60,9 @@ class GeneralFloatCases(unittest.TestCase):
# extra long strings should not be a problem # extra long strings should not be a problem
float(b'.' + b'1'*1000) float(b'.' + b'1'*1000)
float('.' + '1'*1000) float('.' + '1'*1000)
# Invalid unicode string
# See bpo-34087
self.assertRaises(ValueError, float, '\u3053\u3093\u306b\u3061\u306f')
def test_underscores(self): def test_underscores(self):
for lit in VALID_UNDERSCORE_LITERALS: for lit in VALID_UNDERSCORE_LITERALS:

4
Lib/test/test_long.py
View file

@ -373,6 +373,10 @@ class LongTest(unittest.TestCase):
for base in invalid_bases: for base in invalid_bases:
self.assertRaises(ValueError, int, '42', base) self.assertRaises(ValueError, int, '42', base)
# Invalid unicode string
# See bpo-34087
self.assertRaises(ValueError, int, '\u3053\u3093\u306b\u3061\u306f')
def test_conversion(self): def test_conversion(self):

1
Misc/NEWS.d/next/Core and Builtins/2018-07-13-22-09-55.bpo-34087.I1Bxfc.rst Normal file
View file

@ -0,0 +1 @@
Fix buffer overflow while converting unicode to numeric values.

2
Objects/unicodeobject.c
View file

@ -9072,6 +9072,7 @@ _PyUnicode_TransformDecimalAndSpaceToASCII(PyObject *unicode)
int decimal = Py_UNICODE_TODECIMAL(ch); int decimal = Py_UNICODE_TODECIMAL(ch);
if (decimal < 0) { if (decimal < 0) {
out[i] = '?'; out[i] = '?';
out[i+1] = '\0';
_PyUnicode_LENGTH(result) = i + 1; _PyUnicode_LENGTH(result) = i + 1;
break; break;
} }
@ -9079,6 +9080,7 @@ _PyUnicode_TransformDecimalAndSpaceToASCII(PyObject *unicode)
} }
} }
assert(_PyUnicode_CheckConsistency(result, 1));
return result; return result;
} }

2
Python/pystrtod.c
View file

@ -391,6 +391,8 @@ _Py_string_to_number_with_underscores(
char *dup, *end; char *dup, *end;
PyObject *result; PyObject *result;
assert(s[orig_len] == '\0');
if (strchr(s, '_') == NULL) { if (strchr(s, '_') == NULL) {
return innerfunc(s, orig_len, arg); return innerfunc(s, orig_len, arg);
} }