diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2014-11-02 17:41:56 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2014-11-02 17:41:56 (GMT) |
| commit | 8a03896cace7cf2b8634c1409722fe6d3f9c8bcd (patch) | |
| tree | 23f5e2d94a09abf5a2c80d095c26bd7f5e391dac | |
| parent | c58e3a449bfcf42b4d3ec0495960472adaaa952e (diff) | |
| parent | cc23154d020723dc85d055324861f6a8f54fe0f7 (diff) | |
| download | cpython-8a03896cace7cf2b8634c1409722fe6d3f9c8bcd.zip cpython-8a03896cace7cf2b8634c1409722fe6d3f9c8bcd.tar.gz cpython-8a03896cace7cf2b8634c1409722fe6d3f9c8bcd.tar.bz2 | |
Issue #22335: Fix crash when trying to enlarge a bytearray to 0x7fffffff bytes on a 32-bit platform.
| -rw-r--r-- | Lib/test/test_bytes.py | 13 | ||||
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Objects/bytearrayobject.c | 21 | ||||
| -rw-r--r-- | Objects/obmalloc.c | 8 |
4 files changed, 34 insertions, 11 deletions
diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py index 23a411e..1e11437 100644 --- a/Lib/test/test_bytes.py +++ b/Lib/test/test_bytes.py @@ -13,9 +13,11 @@ import functools import pickle import tempfile import unittest + import test.support import test.string_tests import test.buffer_tests +from test.support import bigaddrspacetest, MAX_Py_ssize_t if sys.flags.bytes_warning: @@ -111,6 +113,17 @@ class BaseBytesTest: self.assertRaises(ValueError, self.type2test, [sys.maxsize+1]) self.assertRaises(ValueError, self.type2test, [10**100]) + @bigaddrspacetest + def test_constructor_overflow(self): + size = MAX_Py_ssize_t + self.assertRaises((OverflowError, MemoryError), self.type2test, size) + try: + # Should either pass or raise an error (e.g. on debug builds with + # additional malloc() overhead), but shouldn't crash. + bytearray(size - 4) + except (OverflowError, MemoryError): + pass + def test_compare(self): b1 = self.type2test([1, 2, 3]) b2 = self.type2test([1, 2, 3]) @@ -10,6 +10,9 @@ Release date: TBA Core and Builtins ----------------- +- Issue #22335: Fix crash when trying to enlarge a bytearray to 0x7fffffff + bytes on a 32-bit platform. + - Issue #22653: Fix an assertion failure in debug mode when doing a reentrant dict insertion in debug mode. diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c index 84447bc..47d480f 100644 --- a/Objects/bytearrayobject.c +++ b/Objects/bytearrayobject.c @@ -180,20 +180,22 @@ PyByteArray_AsString(PyObject *self) } int -PyByteArray_Resize(PyObject *self, Py_ssize_t size) +PyByteArray_Resize(PyObject *self, Py_ssize_t requested_size) { void *sval; PyByteArrayObject *obj = ((PyByteArrayObject *)self); - Py_ssize_t alloc = obj->ob_alloc; - Py_ssize_t logical_offset = obj->ob_start - obj->ob_bytes; + /* All computations are done unsigned to avoid integer overflows + (see issue #22335). */ + size_t alloc = (size_t) obj->ob_alloc; + size_t logical_offset = (size_t) (obj->ob_start - obj->ob_bytes); + size_t size = (size_t) requested_size; assert(self != NULL); assert(PyByteArray_Check(self)); - assert(size >= 0); - assert(logical_offset >= 0); assert(logical_offset <= alloc); + assert(requested_size >= 0); - if (size == Py_SIZE(self)) { + if (requested_size == Py_SIZE(self)) { return 0; } if (!_canresize(obj)) { @@ -225,6 +227,10 @@ PyByteArray_Resize(PyObject *self, Py_ssize_t size) alloc = size + 1; } } + if (alloc > PY_SSIZE_T_MAX) { + PyErr_NoMemory(); + return -1; + } if (logical_offset > 0) { sval = PyObject_Malloc(alloc); @@ -232,7 +238,8 @@ PyByteArray_Resize(PyObject *self, Py_ssize_t size) PyErr_NoMemory(); return -1; } - memcpy(sval, PyByteArray_AS_STRING(self), Py_MIN(size, Py_SIZE(self))); + memcpy(sval, PyByteArray_AS_STRING(self), + Py_MIN(requested_size, Py_SIZE(self))); PyObject_Free(obj->ob_bytes); } else { diff --git a/Objects/obmalloc.c b/Objects/obmalloc.c index 2036e37..e900cc3 100644 --- a/Objects/obmalloc.c +++ b/Objects/obmalloc.c @@ -1828,8 +1828,8 @@ _PyMem_DebugAlloc(int use_calloc, void *ctx, size_t nbytes) bumpserialno(); total = nbytes + 4*SST; - if (total < nbytes) - /* overflow: can't represent total as a size_t */ + if (nbytes > PY_SSIZE_T_MAX - 4*SST) + /* overflow: can't represent total as a Py_ssize_t */ return NULL; if (use_calloc) @@ -1909,8 +1909,8 @@ _PyMem_DebugRealloc(void *ctx, void *p, size_t nbytes) bumpserialno(); original_nbytes = read_size_t(q - 2*SST); total = nbytes + 4*SST; - if (total < nbytes) - /* overflow: can't represent total as a size_t */ + if (nbytes > PY_SSIZE_T_MAX - 4*SST) + /* overflow: can't represent total as a Py_ssize_t */ return NULL; /* Resize and add decorations. We may get a new pointer here, in which |