diff options
| author | Guido van Rossum <guido@python.org> | 2002-10-11 00:43:48 (GMT) |
|---|---|---|
| committer | Guido van Rossum <guido@python.org> | 2002-10-11 00:43:48 (GMT) |
| commit | 049cd6b563892b64edd606cfdf36c5d0f30b7b16 (patch) | |
| tree | a4a1c761bbb6117dabc2a6e673b534e812f21088 | |
| parent | f689b88e11535443f72e67eea43db9aa944699e1 (diff) | |
| download | cpython-049cd6b563892b64edd606cfdf36c5d0f30b7b16.zip cpython-049cd6b563892b64edd606cfdf36c5d0f30b7b16.tar.gz cpython-049cd6b563892b64edd606cfdf36c5d0f30b7b16.tar.bz2 | |
Fix a nasty endcase reported by Armin Rigo in SF bug 618623:
'%2147483647d' % -123 segfaults. This was because an integer overflow
in a comparison caused the string resize to be skipped. After fixing
the overflow, this could call _PyString_Resize() with a negative size,
so I (1) test for that and raise MemoryError instead; (2) also added a
test for negative newsize to _PyString_Resize(), raising SystemError
as for all bad arguments.
An identical bug existed in unicodeobject.c, of course.
Will backport to 2.2.2.
| -rw-r--r-- | Objects/stringobject.c | 8 | ||||
| -rw-r--r-- | Objects/unicodeobject.c | 8 |
2 files changed, 12 insertions, 4 deletions
diff --git a/Objects/stringobject.c b/Objects/stringobject.c index 6a9450a..5c5b6ae 100644 --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -3319,7 +3319,7 @@ _PyString_Resize(PyObject **pv, int newsize) register PyObject *v; register PyStringObject *sv; v = *pv; - if (!PyString_Check(v) || v->ob_refcnt != 1) { + if (!PyString_Check(v) || v->ob_refcnt != 1 || newsize < 0) { *pv = 0; Py_DECREF(v); PyErr_BadInternalCall(); @@ -3959,10 +3959,14 @@ PyString_Format(PyObject *format, PyObject *args) } if (width < len) width = len; - if (rescnt < width + (sign != 0)) { + if (rescnt - (sign != 0) < width) { reslen -= rescnt; rescnt = width + fmtcnt + 100; reslen += rescnt; + if (reslen < 0) { + Py_DECREF(result); + return PyErr_NoMemory(); + } if (_PyString_Resize(&result, reslen) < 0) return NULL; res = PyString_AS_STRING(result) diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index eb8ee61..5f9f4a7 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -261,7 +261,7 @@ int PyUnicode_Resize(PyObject **unicode, return -1; } v = (PyUnicodeObject *)*unicode; - if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1) { + if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1 || length < 0) { PyErr_BadInternalCall(); return -1; } @@ -6483,10 +6483,14 @@ PyObject *PyUnicode_Format(PyObject *format, } if (width < len) width = len; - if (rescnt < width + (sign != 0)) { + if (rescnt - (sign != 0) < width) { reslen -= rescnt; rescnt = width + fmtcnt + 100; reslen += rescnt; + if (reslen < 0) { + Py_DECREF(result); + return PyErr_NoMemory(); + } if (_PyUnicode_Resize(&result, reslen) < 0) return NULL; res = PyUnicode_AS_UNICODE(result) |