diff options
author | Benjamin Peterson <benjamin@python.org> | 2016-08-14 00:21:22 (GMT) |
---|---|---|
committer | Benjamin Peterson <benjamin@python.org> | 2016-08-14 00:21:22 (GMT) |
commit | 59b6abd38c04472a256b1b04e8709defb29e44ef (patch) | |
tree | 6eaeb71a2ec978e88d6adce61550d32b21528049 | |
parent | a0b2568627e061f9dd8a31df665e97fdcf4b531d (diff) | |
parent | 6e01d90cc8bfac920bd4f7143b3968a8a21079d9 (diff) | |
download | cpython-59b6abd38c04472a256b1b04e8709defb29e44ef.zip cpython-59b6abd38c04472a256b1b04e8709defb29e44ef.tar.gz cpython-59b6abd38c04472a256b1b04e8709defb29e44ef.tar.bz2 |
merge 3.3 (#27758)
-rw-r--r-- | Misc/NEWS | 3 | ||||
-rw-r--r-- | Modules/_csv.c | 23 |
2 files changed, 22 insertions, 4 deletions
@@ -13,6 +13,9 @@ Core and Builtins Library ------- +- Issue #27758: Fix possible integer overflow in the _csv module for large record + lengths. + - Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. diff --git a/Modules/_csv.c b/Modules/_csv.c index 1a363fa..ed6055d 100644 --- a/Modules/_csv.c +++ b/Modules/_csv.c @@ -1016,11 +1016,19 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data, int i; Py_ssize_t rec_len; -#define ADDCH(c) \ +#define INCLEN \ + do {\ + if (!copy_phase && rec_len == PY_SSIZE_T_MAX) { \ + goto overflow; \ + } \ + rec_len++; \ + } while(0) + +#define ADDCH(c) \ do {\ if (copy_phase) \ self->rec[rec_len] = c;\ - rec_len++;\ + INCLEN;\ } while(0) rec_len = self->rec_len; @@ -1086,11 +1094,18 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data, if (*quoted) { if (copy_phase) ADDCH(dialect->quotechar); - else - rec_len += 2; + else { + INCLEN; /* starting quote */ + INCLEN; /* ending quote */ + } } return rec_len; + + overflow: + PyErr_NoMemory(); + return -1; #undef ADDCH +#undef INCLEN } static int |