diff options
author | Charles-François Natali <neologix@free.fr> | 2011-08-28 16:10:27 (GMT) |
---|---|---|
committer | Charles-François Natali <neologix@free.fr> | 2011-08-28 16:10:27 (GMT) |
commit | ac7e9e058d8da18d0002f2b9456900c34a13e463 (patch) | |
tree | 8b3729f41abc4afd6e0c682f01f6d80b3a09604c | |
parent | 44c6ef50af9980f33f6373440f0afc9cfa800c86 (diff) | |
parent | aa26b275034c07784c4d64e9a2bc26c742577327 (diff) | |
download | cpython-ac7e9e058d8da18d0002f2b9456900c34a13e463.zip cpython-ac7e9e058d8da18d0002f2b9456900c34a13e463.tar.gz cpython-ac7e9e058d8da18d0002f2b9456900c34a13e463.tar.bz2 |
Issue #12287: Fix a stack corruption in ossaudiodev module when the FD is
greater than FD_SETSIZE.
-rw-r--r-- | Include/fileobject.h | 7 | ||||
-rw-r--r-- | Misc/NEWS | 3 | ||||
-rw-r--r-- | Modules/_ssl.c | 4 | ||||
-rw-r--r-- | Modules/ossaudiodev.c | 5 | ||||
-rw-r--r-- | Modules/selectmodule.c | 9 | ||||
-rw-r--r-- | Modules/socketmodule.c | 12 |
6 files changed, 21 insertions, 19 deletions
diff --git a/Include/fileobject.h b/Include/fileobject.h index c4a2a2b..a99c94d 100644 --- a/Include/fileobject.h +++ b/Include/fileobject.h @@ -44,6 +44,13 @@ int _PyVerify_fd(int fd); #endif #endif /* Py_LIMITED_API */ +/* A routine to check if a file descriptor can be select()-ed. */ +#ifdef HAVE_SELECT + #define _PyIsSelectable_fd(FD) (((FD) >= 0) && ((FD) < FD_SETSIZE)) +#else + #define _PyIsSelectable_fd(FD) (1) +#endif /* HAVE_SELECT */ + #ifdef __cplusplus } #endif @@ -268,6 +268,9 @@ Core and Builtins Library ------- +- Issue #12287: Fix a stack corruption in ossaudiodev module when the FD is + greater than FD_SETSIZE. + - Issue #12839: Fix crash in zlib module due to version mismatch. Fix by Richard M. Tew. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index b203ce4..3d44b61 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1040,10 +1040,8 @@ check_socket_and_wait_for_timeout(PySocketSockObject *s, int writing) #endif /* Guard against socket too large for select*/ -#ifndef Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE - if (s->sock_fd >= FD_SETSIZE) + if (!_PyIsSelectable_fd(s->sock_fd)) return SOCKET_TOO_LARGE_FOR_SELECT; -#endif /* Construct the arguments to select */ tv.tv_sec = (int)s->sock_timeout; diff --git a/Modules/ossaudiodev.c b/Modules/ossaudiodev.c index 1505731..95a23b7 100644 --- a/Modules/ossaudiodev.c +++ b/Modules/ossaudiodev.c @@ -474,6 +474,11 @@ oss_writeall(oss_audio_t *self, PyObject *args) if (!PyArg_ParseTuple(args, "y#:write", &cp, &size)) return NULL; + if (!_PyIsSelectable_fd(self->fd)) { + PyErr_SetString(PyExc_ValueError, + "file descriptor out of range for select"); + return NULL; + } /* use select to wait for audio device to be available */ FD_ZERO(&write_set_fds); FD_SET(self->fd, &write_set_fds); diff --git a/Modules/selectmodule.c b/Modules/selectmodule.c index 20f23d9..e594b51 100644 --- a/Modules/selectmodule.c +++ b/Modules/selectmodule.c @@ -110,7 +110,7 @@ seq2set(PyObject *seq, fd_set *set, pylist fd2obj[FD_SETSIZE + 1]) #if defined(_MSC_VER) max = 0; /* not used for Win32 */ #else /* !_MSC_VER */ - if (v < 0 || v >= FD_SETSIZE) { + if (!_PyIsSelectable_fd(v)) { PyErr_SetString(PyExc_ValueError, "filedescriptor out of range in select()"); goto finally; @@ -160,13 +160,6 @@ set2list(fd_set *set, pylist fd2obj[FD_SETSIZE + 1]) for (j = 0; fd2obj[j].sentinel >= 0; j++) { fd = fd2obj[j].fd; if (FD_ISSET(fd, set)) { -#ifndef _MSC_VER - if (fd > FD_SETSIZE) { - PyErr_SetString(PyExc_SystemError, - "filedescriptor out of range returned in select()"); - goto finally; - } -#endif o = fd2obj[j].obj; fd2obj[j].obj = NULL; /* transfer ownership */ diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c index 936a68d..f56e9af 100644 --- a/Modules/socketmodule.c +++ b/Modules/socketmodule.c @@ -485,18 +485,14 @@ static PyTypeObject sock_type; #define SOCKLEN_T_LIMIT INT_MAX #endif -#ifdef Py_SOCKET_FD_CAN_BE_GE_FD_SETSIZE -/* Platform can select file descriptors beyond FD_SETSIZE */ -#define IS_SELECTABLE(s) 1 -#elif defined(HAVE_POLL) +#ifdef HAVE_POLL /* Instead of select(), we'll use poll() since poll() works on any fd. */ #define IS_SELECTABLE(s) 1 /* Can we call select() with this socket without a buffer overrun? */ #else -/* POSIX says selecting file descriptors beyond FD_SETSIZE - has undefined behaviour. If there's no timeout left, we don't have to - call select, so it's a safe, little white lie. */ -#define IS_SELECTABLE(s) ((s)->sock_fd < FD_SETSIZE || s->sock_timeout <= 0.0) +/* If there's no timeout left, we don't have to call select, so it's a safe, + * little white lie. */ +#define IS_SELECTABLE(s) (_PyIsSelectable_fd((s)->sock_fd) || (s)->sock_timeout <= 0.0) #endif static PyObject* |