summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Peterson <benjamin@python.org>2016-08-14 00:21:22 (GMT)
committerBenjamin Peterson <benjamin@python.org>2016-08-14 00:21:22 (GMT)
commit59b6abd38c04472a256b1b04e8709defb29e44ef (patch)
tree6eaeb71a2ec978e88d6adce61550d32b21528049
parenta0b2568627e061f9dd8a31df665e97fdcf4b531d (diff)
parent6e01d90cc8bfac920bd4f7143b3968a8a21079d9 (diff)
downloadcpython-59b6abd38c04472a256b1b04e8709defb29e44ef.zip
cpython-59b6abd38c04472a256b1b04e8709defb29e44ef.tar.gz
cpython-59b6abd38c04472a256b1b04e8709defb29e44ef.tar.bz2
merge 3.3 (#27758)
-rw-r--r--Misc/NEWS3
-rw-r--r--Modules/_csv.c23
2 files changed, 22 insertions, 4 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 362b6ba..2611c09 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
Library
-------
+- Issue #27758: Fix possible integer overflow in the _csv module for large record
+ lengths.
+
- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
that the script is in CGI mode.
diff --git a/Modules/_csv.c b/Modules/_csv.c
index 1a363fa..ed6055d 100644
--- a/Modules/_csv.c
+++ b/Modules/_csv.c
@@ -1016,11 +1016,19 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data,
int i;
Py_ssize_t rec_len;
-#define ADDCH(c) \
+#define INCLEN \
+ do {\
+ if (!copy_phase && rec_len == PY_SSIZE_T_MAX) { \
+ goto overflow; \
+ } \
+ rec_len++; \
+ } while(0)
+
+#define ADDCH(c) \
do {\
if (copy_phase) \
self->rec[rec_len] = c;\
- rec_len++;\
+ INCLEN;\
} while(0)
rec_len = self->rec_len;
@@ -1086,11 +1094,18 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data,
if (*quoted) {
if (copy_phase)
ADDCH(dialect->quotechar);
- else
- rec_len += 2;
+ else {
+ INCLEN; /* starting quote */
+ INCLEN; /* ending quote */
+ }
}
return rec_len;
+
+ overflow:
+ PyErr_NoMemory();
+ return -1;
#undef ADDCH
+#undef INCLEN
}
static int