diff options
| author | Christian Heimes <christian@cheimes.de> | 2012-09-12 13:32:06 (GMT) |
|---|---|---|
| committer | Christian Heimes <christian@cheimes.de> | 2012-09-12 13:32:06 (GMT) |
| commit | 7ae251a0256686a0583a371a0c6421b6fd8366bf (patch) | |
| tree | 85ad39841b57d78e4560be947bd1900ae0632428 | |
| parent | 0ae066b28141ec96504f30eb2a32206896853935 (diff) | |
| parent | 79b97ee2ab2620921d409ed4010e84f6c227b470 (diff) | |
| download | cpython-7ae251a0256686a0583a371a0c6421b6fd8366bf.zip cpython-7ae251a0256686a0583a371a0c6421b6fd8366bf.tar.gz cpython-7ae251a0256686a0583a371a0c6421b6fd8366bf.tar.bz2 | |
Fix out of bounds read in long_new() for empty bytes with an explicit base. int(b'', somebase) calls PyLong_FromString() with char* of length 1 but the function accesses the first argument at offset 1. CID 715359
| -rw-r--r-- | Objects/longobject.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/Objects/longobject.c b/Objects/longobject.c index 7e12b34..f452840 100644 --- a/Objects/longobject.c +++ b/Objects/longobject.c @@ -4285,8 +4285,8 @@ long_new(PyTypeObject *type, PyObject *args, PyObject *kwds) string = PyByteArray_AS_STRING(x); else string = PyBytes_AS_STRING(x); - if (strlen(string) != (size_t)size) { - /* We only see this if there's a null byte in x, + if (strlen(string) != (size_t)size || !size) { + /* We only see this if there's a null byte in x or x is empty, x is a bytes or buffer, *and* a base is given. */ PyErr_Format(PyExc_ValueError, "invalid literal for int() with base %d: %R", |