diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2015-05-19 18:55:42 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2015-05-19 18:55:42 (GMT) |
| commit | ef64847f7172d74f793cff179c50435e846690a6 (patch) | |
| tree | bb73980a0924883ebd84e2bd6f8715c3a937ae93 | |
| parent | 94e44ed517cfce20f75cd1c142768267eb22f10d (diff) | |
| parent | 2545411e2848c50bd4f7345fc76e9d24cd063d32 (diff) | |
| download | cpython-ef64847f7172d74f793cff179c50435e846690a6.zip cpython-ef64847f7172d74f793cff179c50435e846690a6.tar.gz cpython-ef64847f7172d74f793cff179c50435e846690a6.tar.bz2 | |
Issue #23985: Fix a possible buffer overrun when deleting a slice from the front of a bytearray and then appending some other bytes data.
Patch by Martin Panter.
| -rw-r--r-- | Lib/test/test_bytes.py | 16 | ||||
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Objects/bytearrayobject.c | 8 |
3 files changed, 21 insertions, 6 deletions
diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py index a075cde..7ff7f19 100644 --- a/Lib/test/test_bytes.py +++ b/Lib/test/test_bytes.py @@ -993,6 +993,22 @@ class ByteArrayTest(BaseBytesTest, unittest.TestCase): b.extend(range(100, 110)) self.assertEqual(list(b), list(range(10, 110))) + def test_fifo_overrun(self): + # Test for issue #23985, a buffer overrun when implementing a FIFO + # Build Python in pydebug mode for best results. + b = bytearray(10) + b.pop() # Defeat expanding buffer off-by-one quirk + del b[:1] # Advance start pointer without reallocating + b += bytes(2) # Append exactly the number of deleted bytes + del b # Free memory buffer, allowing pydebug verification + + def test_del_expand(self): + # Reducing the size should not expand the buffer (issue #23985) + b = bytearray(10) + size = sys.getsizeof(b) + del b[:1] + self.assertLessEqual(sys.getsizeof(b), size) + def test_extended_set_del_slice(self): indices = (0, None, 1, 3, 19, 300, 1<<333, -1, -2, -31, -300) for start in indices: @@ -10,6 +10,9 @@ Release date: 2015-05-24 Core and Builtins ----------------- +- Issue #23985: Fix a possible buffer overrun when deleting a slice from + the front of a bytearray and then appending some other bytes data. + - Issue #24102: Fixed exception type checking in standard error handlers. - Issue #15027: The UTF-32 encoder is now 3x to 7x faster. diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c index 14444a2..b9477ca 100644 --- a/Objects/bytearrayobject.c +++ b/Objects/bytearrayobject.c @@ -187,7 +187,7 @@ PyByteArray_Resize(PyObject *self, Py_ssize_t requested_size) return -1; } - if (size + logical_offset + 1 < alloc) { + if (size + logical_offset + 1 <= alloc) { /* Current buffer is large enough to host the requested size, decide on a strategy. */ if (size < alloc / 2) { @@ -331,11 +331,7 @@ bytearray_iconcat(PyByteArrayObject *self, PyObject *other) PyBuffer_Release(&vo); return PyErr_NoMemory(); } - if (size < self->ob_alloc) { - Py_SIZE(self) = size; - PyByteArray_AS_STRING(self)[Py_SIZE(self)] = '\0'; /* Trailing null byte */ - } - else if (PyByteArray_Resize((PyObject *)self, size) < 0) { + if (PyByteArray_Resize((PyObject *)self, size) < 0) { PyBuffer_Release(&vo); return NULL; } |