summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHirokazu Yamamoto <ocean-city@m2.ccsnet.ne.jp>2009-06-29 14:54:12 (GMT)
committerHirokazu Yamamoto <ocean-city@m2.ccsnet.ne.jp>2009-06-29 14:54:12 (GMT)
commit7a9e1bd9246e8a827abeaa7e4af6285c2ba5f434 (patch)
treec09c129d5f4b30ddcafe073f6253f1643f411da1
parent4b1f3e55c7776a049449c850ba5bef346c2d8643 (diff)
downloadcpython-7a9e1bd9246e8a827abeaa7e4af6285c2ba5f434.zip
cpython-7a9e1bd9246e8a827abeaa7e4af6285c2ba5f434.tar.gz
cpython-7a9e1bd9246e8a827abeaa7e4af6285c2ba5f434.tar.bz2
Merged revisions 73677,73681 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk ........ r73677 | hirokazu.yamamoto | 2009-06-29 22:25:16 +0900 | 2 lines Issue #6344: Fixed a crash of mmap.read() when passed a negative argument. Reviewed by Amaury Forgeot d'Arc. ........ r73681 | hirokazu.yamamoto | 2009-06-29 23:29:31 +0900 | 1 line Fixed NEWS. ........
-rw-r--r--Misc/NEWS2
-rw-r--r--Modules/mmapmodule.c16
2 files changed, 15 insertions, 3 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 37b7c13..411df54 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -17,6 +17,8 @@ Core and Builtins
Library
-------
+- Issue #6344: Fixed a crash of mmap.read() when passed a negative argument.
+
- The deprecated function string.maketrans has been removed.
Build
diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c
index 37584e2..9d6d6af 100644
--- a/Modules/mmapmodule.c
+++ b/Modules/mmapmodule.c
@@ -238,7 +238,7 @@ static PyObject *
mmap_read_method(mmap_object *self,
PyObject *args)
{
- Py_ssize_t num_bytes;
+ Py_ssize_t num_bytes, n;
PyObject *result;
CHECK_VALID(NULL);
@@ -246,8 +246,18 @@ mmap_read_method(mmap_object *self,
return(NULL);
/* silently 'adjust' out-of-range requests */
- if (num_bytes > self->size - self->pos) {
- num_bytes -= (self->pos+num_bytes) - self->size;
+ assert(self->size >= self->pos);
+ n = self->size - self->pos;
+ /* The difference can overflow, only if self->size is greater than
+ * PY_SSIZE_T_MAX. But then the operation cannot possibly succeed,
+ * because the mapped area and the returned string each need more
+ * than half of the addressable memory. So we clip the size, and let
+ * the code below raise MemoryError.
+ */
+ if (n < 0)
+ n = PY_SSIZE_T_MAX;
+ if (num_bytes < 0 || num_bytes > n) {
+ num_bytes = n;
}
result = PyBytes_FromStringAndSize(self->data+self->pos, num_bytes);
self->pos += num_bytes;