diff --git a/Lib/test/test_mmap.py b/Lib/test/test_mmap.py index 20ec56466fd..86dea1e902b 100644 --- a/Lib/test/test_mmap.py +++ b/Lib/test/test_mmap.py @@ -343,6 +343,19 @@ class MmapTests(unittest.TestCase): finally: mf.close() + def test_length_0_large_offset(self): + # Issue #10959: test mapping of a file by passing 0 for + # map length with a large offset doesn't cause a segfault. + if not hasattr(os, "stat"): + self.skipTest("needs os.stat") + + with open(TESTFN, "wb") as f: + f.write(115699 * b'm') # Arbitrary character + + with open(TESTFN, "w+b") as f: + self.assertRaises(ValueError, mmap.mmap, f.fileno(), 0, + offset=2147418112) + def test_move(self): # make move works everywhere (64-bit format problem earlier) f = open(TESTFN, 'w+') diff --git a/Misc/NEWS b/Misc/NEWS index 9c30d03e877..b9205de1f99 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -35,6 +35,9 @@ Core and Builtins Library ------- +- Issue #10955: Fix a potential crash when trying to mmap() a file past its + length. Initial patch by Ross Lagerwall. + - Issue #10898: Allow compiling the posix module when the C library defines a symbol named FSTAT. diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c index 0e91f2c067d..4b2a97112b0 100644 --- a/Modules/mmapmodule.c +++ b/Modules/mmapmodule.c @@ -1164,6 +1164,11 @@ new_mmap_object(PyTypeObject *type, PyObject *args, PyObject *kwdict) # endif if (fd != -1 && fstat(fd, &st) == 0 && S_ISREG(st.st_mode)) { if (map_size == 0) { + if (offset >= st.st_size) { + PyErr_SetString(PyExc_ValueError, + "mmap offset is greater than file size"); + return NULL; + } map_size = st.st_size - offset; } else if ((size_t)offset + (size_t)map_size > st.st_size) { PyErr_SetString(PyExc_ValueError, @@ -1346,6 +1351,12 @@ new_mmap_object(PyTypeObject *type, PyObject *args, PyObject *kwdict) else m_obj->size = low; #endif + if (offset >= m_obj->size) { + PyErr_SetString(PyExc_ValueError, + "mmap offset is greater than file size"); + Py_DECREF(m_obj); + return NULL; + } m_obj->size -= offset; } else { m_obj->size = map_size;