mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-22 09:45:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 13

Fix the overflows in expandtabs(). "This time for sure!"

Browse source 
(Exploit at request.)
This commit is contained in:
Guido van Rossum 2008-03-11 21:14:54 +00:00
parent 8e741e008a
commit 44a93e54f4
2 changed files with 65 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

57
Objects/stringobject.c
View file

@ -3299,9 +3299,9 @@ If tabsize is not given, a tab size of 8 characters is assumed.");
static PyObject* static PyObject*
string_expandtabs(PyStringObject *self, PyObject *args) string_expandtabs(PyStringObject *self, PyObject *args)
{ {
const char *e, *p; const char *e, *p, *qe;
char *q; char *q;
Py_ssize_t i, j, old_j; Py_ssize_t i, j, incr;
PyObject *u; PyObject *u;
int tabsize = 8; int tabsize = 8;
@ -3309,63 +3309,70 @@ string_expandtabs(PyStringObject *self, PyObject *args)
return NULL; return NULL;
/* First pass: determine size of output string */ /* First pass: determine size of output string */
i = j = old_j = 0; i = 0; /* chars up to and including most recent \n or \r */
e = PyString_AS_STRING(self) + PyString_GET_SIZE(self); j = 0; /* chars since most recent \n or \r (use in tab calculations) */
e = PyString_AS_STRING(self) + PyString_GET_SIZE(self); /* end of input */
for (p = PyString_AS_STRING(self); p < e; p++) for (p = PyString_AS_STRING(self); p < e; p++)
if (*p == '\t') { if (*p == '\t') {
if (tabsize > 0) { if (tabsize > 0) {
j += tabsize - (j % tabsize); incr = tabsize - (j % tabsize);
if (old_j > j) { if (j > PY_SSIZE_T_MAX - incr)
PyErr_SetString(PyExc_OverflowError, goto overflow1;
"new string is too long"); j += incr;
return NULL;
}
old_j = j;
} }
} }
else { else {
if (j > PY_SSIZE_T_MAX - 1)
goto overflow1;
j++; j++;
if (*p == '\n' || *p == '\r') { if (*p == '\n' || *p == '\r') {
if (i > PY_SSIZE_T_MAX - j)
goto overflow1;
i += j; i += j;
old_j = j = 0; j = 0;
if (i < 0) {
PyErr_SetString(PyExc_OverflowError,
"new string is too long");
return NULL;
}
} }
} }
if ((i + j) < 0) { if (i > PY_SSIZE_T_MAX - j)
PyErr_SetString(PyExc_OverflowError, "new string is too long"); goto overflow1;
return NULL;
}
/* Second pass: create output string and fill it */ /* Second pass: create output string and fill it */
u = PyString_FromStringAndSize(NULL, i + j); u = PyString_FromStringAndSize(NULL, i + j);
if (!u) if (!u)
return NULL; return NULL;
j = 0; j = 0; /* same as in first pass */
q = PyString_AS_STRING(u); q = PyString_AS_STRING(u); /* next output char */
qe = PyString_AS_STRING(u) + PyString_GET_SIZE(u); /* end of output */
for (p = PyString_AS_STRING(self); p < e; p++) for (p = PyString_AS_STRING(self); p < e; p++)
if (*p == '\t') { if (*p == '\t') {
if (tabsize > 0) { if (tabsize > 0) {
i = tabsize - (j % tabsize); i = tabsize - (j % tabsize);
j += i; j += i;
while (i--) while (i--) {
if (q >= qe)
goto overflow2;
*q++ = ' '; *q++ = ' ';
} }
} }
}
else { else {
j++; if (q >= qe)
goto overflow2;
*q++ = *p; *q++ = *p;
j++;
if (*p == '\n' || *p == '\r') if (*p == '\n' || *p == '\r')
j = 0; j = 0;
} }
return u; return u;
overflow2:
Py_DECREF(u);
overflow1:
PyErr_SetString(PyExc_OverflowError, "new string is too long");
return NULL;
} }
Py_LOCAL_INLINE(PyObject *) Py_LOCAL_INLINE(PyObject *)

56
Objects/unicodeobject.c
View file

@ -5689,7 +5689,8 @@ unicode_expandtabs(PyUnicodeObject *self, PyObject *args)
Py_UNICODE *e; Py_UNICODE *e;
Py_UNICODE *p; Py_UNICODE *p;
Py_UNICODE *q; Py_UNICODE *q;
Py_ssize_t i, j, old_j; Py_UNICODE *qe;
Py_ssize_t i, j, incr;
PyUnicodeObject *u; PyUnicodeObject *u;
int tabsize = 8; int tabsize = 8;
@ -5697,63 +5698,70 @@ unicode_expandtabs(PyUnicodeObject *self, PyObject *args)
return NULL; return NULL;
/* First pass: determine size of output string */ /* First pass: determine size of output string */
i = j = old_j = 0; i = 0; /* chars up to and including most recent \n or \r */
e = self->str + self->length; j = 0; /* chars since most recent \n or \r (use in tab calculations) */
e = self->str + self->length; /* end of input */
for (p = self->str; p < e; p++) for (p = self->str; p < e; p++)
if (*p == '\t') { if (*p == '\t') {
if (tabsize > 0) { if (tabsize > 0) {
j += tabsize - (j % tabsize); incr = tabsize - (j % tabsize); /* cannot overflow */
if (old_j > j) { if (j > PY_SSIZE_T_MAX - incr)
PyErr_SetString(PyExc_OverflowError, goto overflow1;
"new string is too long"); j += incr;
return NULL;
}
old_j = j;
} }
} }
else { else {
if (j > PY_SSIZE_T_MAX - 1)
goto overflow1;
j++; j++;
if (*p == '\n' || *p == '\r') { if (*p == '\n' || *p == '\r') {
if (i > PY_SSIZE_T_MAX - j)
goto overflow1;
i += j; i += j;
old_j = j = 0; j = 0;
if (i < 0) {
PyErr_SetString(PyExc_OverflowError,
"new string is too long");
return NULL;
}
} }
} }
if ((i + j) < 0) { if (i > PY_SSIZE_T_MAX - j)
PyErr_SetString(PyExc_OverflowError, "new string is too long"); goto overflow1;
return NULL;
}
/* Second pass: create output string and fill it */ /* Second pass: create output string and fill it */
u = _PyUnicode_New(i + j); u = _PyUnicode_New(i + j);
if (!u) if (!u)
return NULL; return NULL;
j = 0; j = 0; /* same as in first pass */
q = u->str; q = u->str; /* next output char */
qe = u->str + u->length; /* end of output */
for (p = self->str; p < e; p++) for (p = self->str; p < e; p++)
if (*p == '\t') { if (*p == '\t') {
if (tabsize > 0) { if (tabsize > 0) {
i = tabsize - (j % tabsize); i = tabsize - (j % tabsize);
j += i; j += i;
while (i--) while (i--) {
if (q >= qe)
goto overflow2;
*q++ = ' '; *q++ = ' ';
} }
} }
}
else { else {
j++; if (q >= qe)
goto overflow2;
*q++ = *p; *q++ = *p;
j++;
if (*p == '\n' || *p == '\r') if (*p == '\n' || *p == '\r')
j = 0; j = 0;
} }
return (PyObject*) u; return (PyObject*) u;
overflow2:
Py_DECREF(u);
overflow1:
PyErr_SetString(PyExc_OverflowError, "new string is too long");
return NULL;
} }
PyDoc_STRVAR(find__doc__, PyDoc_STRVAR(find__doc__,