mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-01 07:33:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Prevent expandtabs() on string and unicode objects from causing a segfault when

Browse source 
a large width is passed on 32-bit platforms.  Found by Google.

It would be good for people to review this especially carefully and verify
I don't have an off by one error and there is no other way to cause overflow.
This commit is contained in:
Neal Norwitz 2007-06-09 03:36:34 +00:00
parent ea7f88e3d9
commit 7dbd2a3720
5 changed files with 49 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

17
Objects/unicodeobject.c
View file

@ -5690,7 +5690,7 @@ unicode_expandtabs(PyUnicodeObject *self, PyObject *args)
Py_UNICODE *e;
Py_UNICODE *p;
Py_UNICODE *q;
Py_ssize_t i, j;
Py_ssize_t i, j, old_j;
PyUnicodeObject *u;
int tabsize = 8;
@ -5698,12 +5698,18 @@ unicode_expandtabs(PyUnicodeObject *self, PyObject *args)
return NULL;
/* First pass: determine size of output string */
i = j = 0;
i = j = old_j = 0;
e = self->str + self->length;
for (p = self->str; p < e; p++)
if (*p == '\t') {
if (tabsize > 0)
if (tabsize > 0) {
j += tabsize - (j % tabsize);
if (old_j > j) {
PyErr_SetString(PyExc_OverflowError, "new string is too long");
return NULL;
}
old_j = j;
}
}
else {
j++;
@ -5713,6 +5719,11 @@ unicode_expandtabs(PyUnicodeObject *self, PyObject *args)
}
}
if ((i + j) < 0) {
PyErr_SetString(PyExc_OverflowError, "new string is too long");
return NULL;
}
/* Second pass: create output string and fill it */
u = _PyUnicode_New(i + j);
if (!u)