summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTim Peters <tim.peters@gmail.com>2001-12-19 04:41:35 (GMT)
committerTim Peters <tim.peters@gmail.com>2001-12-19 04:41:35 (GMT)
commit1fbb577ee26becacf53b92c53df356aaf227ea73 (patch)
tree269809974f51b25df90a37f3ee687d66c3c20150
parentb6d14daa1c48d8938a140a671bcd17cb40cdd54d (diff)
downloadcpython-1fbb577ee26becacf53b92c53df356aaf227ea73.zip
cpython-1fbb577ee26becacf53b92c53df356aaf227ea73.tar.gz
cpython-1fbb577ee26becacf53b92c53df356aaf227ea73.tar.bz2
SF bug #494738: binascii_b2a_base64 overwrites memory.
binascii_b2a_base64(): We didn't allocate enough buffer space for very short inputs (e.g., a 1-byte input can produce a 5-byte output, but we only allocated 2 bytes). I expect that malloc overheads absorbed the overrun in practice, but computing a correct upper bound is a very simple change.
-rw-r--r--Misc/ACKS1
-rw-r--r--Modules/binascii.c8
2 files changed, 6 insertions, 3 deletions
diff --git a/Misc/ACKS b/Misc/ACKS
index 1ebf774..3616e57 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -92,6 +92,7 @@ Benjamin Collar
Jeffery Collins
Matt Conway
David M. Cooke
+David Costanzo
Scott Cotton
Greg Couch
Steve Cousins
diff --git a/Modules/binascii.c b/Modules/binascii.c
index 643450c..9ef3054 100644
--- a/Modules/binascii.c
+++ b/Modules/binascii.c
@@ -137,7 +137,7 @@ static char table_a2b_base64[] = {
#define BASE64_PAD '='
/* Max binary chunk size; limited only by available memory */
-#define BASE64_MAXBIN (INT_MAX/2 - sizeof(PyStringObject))
+#define BASE64_MAXBIN (INT_MAX/2 - sizeof(PyStringObject) - 3)
static unsigned char table_b2a_base64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
@@ -436,8 +436,10 @@ binascii_b2a_base64(PyObject *self, PyObject *args)
return NULL;
}
- /* We're lazy and allocate to much (fixed up later) */
- if ( (rv=PyString_FromStringAndSize(NULL, bin_len*2)) == NULL )
+ /* We're lazy and allocate too much (fixed up later).
+ "+3" leaves room for up to two pad characters and a trailing
+ newline. Note that 'b' gets encoded as 'Yg==\n' (1 in, 5 out). */
+ if ( (rv=PyString_FromStringAndSize(NULL, bin_len*2 + 3)) == NULL )
return NULL;
ascii_data = (unsigned char *)PyString_AsString(rv);