diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2015-06-29 18:18:01 (GMT) |
|---|---|---|
| committer | Serhiy Storchaka <storchaka@gmail.com> | 2015-06-29 18:18:01 (GMT) |
| commit | bc9e75ed023ff03f555682e57d25fee32e6548a0 (patch) | |
| tree | 5f31459160ab9cae7a005ce01766d834f321e26d | |
| parent | a95a476b3ae93d890209e592d675ae64c82e05dc (diff) | |
| parent | 7b6e3b91f54e8fafbb1565a7d0999dec4fca783f (diff) | |
| download | cpython-bc9e75ed023ff03f555682e57d25fee32e6548a0.zip cpython-bc9e75ed023ff03f555682e57d25fee32e6548a0.tar.gz cpython-bc9e75ed023ff03f555682e57d25fee32e6548a0.tar.bz2 | |
Issue #24467: Fixed possible buffer over-read in bytearray. The bytearray
object now always allocates place for trailing null byte and it's buffer now
is always null-terminated.
| -rw-r--r-- | Lib/test/test_bytes.py | 19 | ||||
| -rw-r--r-- | Misc/NEWS | 4 | ||||
| -rw-r--r-- | Objects/bytearrayobject.c | 4 |
3 files changed, 25 insertions, 2 deletions
diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py index 7ff7f19..53a80f4 100644 --- a/Lib/test/test_bytes.py +++ b/Lib/test/test_bytes.py @@ -1098,10 +1098,27 @@ class ByteArrayTest(BaseBytesTest, unittest.TestCase): for i in range(100): b += b"x" alloc = b.__alloc__() - self.assertTrue(alloc >= len(b)) + self.assertGreater(alloc, len(b)) # including trailing null byte if alloc not in seq: seq.append(alloc) + def test_init_alloc(self): + b = bytearray() + def g(): + for i in range(1, 100): + yield i + a = list(b) + self.assertEqual(a, list(range(1, len(a)+1))) + self.assertEqual(len(b), len(a)) + self.assertLessEqual(len(b), i) + alloc = b.__alloc__() + self.assertGreater(alloc, len(b)) # including trailing null byte + b.__init__(g()) + self.assertEqual(list(b), list(range(1, 100))) + self.assertEqual(len(b), 99) + alloc = b.__alloc__() + self.assertGreater(alloc, len(b)) + def test_extend(self): orig = b'hello' a = bytearray(orig) @@ -10,6 +10,10 @@ Release date: 2015-07-05 Core and Builtins ----------------- +- Issue #24467: Fixed possible buffer over-read in bytearray. The bytearray + object now always allocates place for trailing null byte and it's buffer now + is always null-terminated. + - Upgrade to Unicode 8.0.0. - Issue #24345: Add Py_tp_finalize slot for the stable ABI. diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c index 49db367..dae80d9 100644 --- a/Objects/bytearrayobject.c +++ b/Objects/bytearrayobject.c @@ -891,8 +891,10 @@ bytearray_init(PyByteArrayObject *self, PyObject *args, PyObject *kwds) goto error; /* Append the byte */ - if (Py_SIZE(self) < self->ob_alloc) + if (Py_SIZE(self) + 1 < self->ob_alloc) { Py_SIZE(self)++; + PyByteArray_AS_STRING(self)[Py_SIZE(self)] = '\0'; + } else if (PyByteArray_Resize((PyObject *)self, Py_SIZE(self)+1) < 0) goto error; PyByteArray_AS_STRING(self)[Py_SIZE(self)-1] = value; |