mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-11-03 19:34:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Issue #23985: Fix a possible buffer overrun when deleting a slice from the front of a bytearray and then appending some other bytes data.

Browse source 
Patch by Martin Panter.
This commit is contained in:
Antoine Pitrou 2015-05-19 20:52:27 +02:00
parent 6371446036
commit 2545411e28
3 changed files with 21 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

16
Lib/test/test_bytes.py
View file

@ -947,6 +947,22 @@ class ByteArrayTest(BaseBytesTest, unittest.TestCase):
b.extend(range(100, 110)) b.extend(range(100, 110))
self.assertEqual(list(b), list(range(10, 110))) self.assertEqual(list(b), list(range(10, 110)))
def test_fifo_overrun(self):
# Test for issue #23985, a buffer overrun when implementing a FIFO
# Build Python in pydebug mode for best results.
b = bytearray(10)
b.pop() # Defeat expanding buffer off-by-one quirk
del b[:1] # Advance start pointer without reallocating
b += bytes(2) # Append exactly the number of deleted bytes
del b # Free memory buffer, allowing pydebug verification
def test_del_expand(self):
# Reducing the size should not expand the buffer (issue #23985)
b = bytearray(10)
size = sys.getsizeof(b)
del b[:1]
self.assertLessEqual(sys.getsizeof(b), size)
def test_extended_set_del_slice(self): def test_extended_set_del_slice(self):
indices = (0, None, 1, 3, 19, 300, 1<<333, -1, -2, -31, -300) indices = (0, None, 1, 3, 19, 300, 1<<333, -1, -2, -31, -300)
for start in indices: for start in indices:

3
Misc/NEWS
View file

@ -10,6 +10,9 @@ Release date: tba
Core and Builtins Core and Builtins
----------------- -----------------
- Issue #23985: Fix a possible buffer overrun when deleting a slice from
the front of a bytearray and then appending some other bytes data.
- Issue #24102: Fixed exception type checking in standard error handlers. - Issue #24102: Fixed exception type checking in standard error handlers.
- Issue #20274: Remove ignored and erroneous "kwargs" parameters from three - Issue #20274: Remove ignored and erroneous "kwargs" parameters from three

8
Objects/bytearrayobject.c
View file

@ -179,7 +179,7 @@ PyByteArray_Resize(PyObject *self, Py_ssize_t requested_size)
return -1; return -1;
} }
if (size + logical_offset + 1 < alloc) { if (size + logical_offset + 1 <= alloc) {
/* Current buffer is large enough to host the requested size, /* Current buffer is large enough to host the requested size,
decide on a strategy. */ decide on a strategy. */
if (size < alloc / 2) { if (size < alloc / 2) {
@ -298,11 +298,7 @@ bytearray_iconcat(PyByteArrayObject *self, PyObject *other)
PyBuffer_Release(&vo); PyBuffer_Release(&vo);
return PyErr_NoMemory(); return PyErr_NoMemory();
} }
if (size < self->ob_alloc) { if (PyByteArray_Resize((PyObject *)self, size) < 0) {
Py_SIZE(self) = size;
PyByteArray_AS_STRING(self)[Py_SIZE(self)] = '\0'; /* Trailing null byte */
}
else if (PyByteArray_Resize((PyObject *)self, size) < 0) {
PyBuffer_Release(&vo); PyBuffer_Release(&vo);
return NULL; return NULL;
} }