diff options
author | Hirokazu Yamamoto <ocean-city@m2.ccsnet.ne.jp> | 2009-06-29 14:54:12 (GMT) |
---|---|---|
committer | Hirokazu Yamamoto <ocean-city@m2.ccsnet.ne.jp> | 2009-06-29 14:54:12 (GMT) |
commit | 7a9e1bd9246e8a827abeaa7e4af6285c2ba5f434 (patch) | |
tree | c09c129d5f4b30ddcafe073f6253f1643f411da1 | |
parent | 4b1f3e55c7776a049449c850ba5bef346c2d8643 (diff) | |
download | cpython-7a9e1bd9246e8a827abeaa7e4af6285c2ba5f434.zip cpython-7a9e1bd9246e8a827abeaa7e4af6285c2ba5f434.tar.gz cpython-7a9e1bd9246e8a827abeaa7e4af6285c2ba5f434.tar.bz2 |
Merged revisions 73677,73681 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk
........
r73677 | hirokazu.yamamoto | 2009-06-29 22:25:16 +0900 | 2 lines
Issue #6344: Fixed a crash of mmap.read() when passed a negative argument.
Reviewed by Amaury Forgeot d'Arc.
........
r73681 | hirokazu.yamamoto | 2009-06-29 23:29:31 +0900 | 1 line
Fixed NEWS.
........
-rw-r--r-- | Misc/NEWS | 2 | ||||
-rw-r--r-- | Modules/mmapmodule.c | 16 |
2 files changed, 15 insertions, 3 deletions
@@ -17,6 +17,8 @@ Core and Builtins Library ------- +- Issue #6344: Fixed a crash of mmap.read() when passed a negative argument. + - The deprecated function string.maketrans has been removed. Build diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c index 37584e2..9d6d6af 100644 --- a/Modules/mmapmodule.c +++ b/Modules/mmapmodule.c @@ -238,7 +238,7 @@ static PyObject * mmap_read_method(mmap_object *self, PyObject *args) { - Py_ssize_t num_bytes; + Py_ssize_t num_bytes, n; PyObject *result; CHECK_VALID(NULL); @@ -246,8 +246,18 @@ mmap_read_method(mmap_object *self, return(NULL); /* silently 'adjust' out-of-range requests */ - if (num_bytes > self->size - self->pos) { - num_bytes -= (self->pos+num_bytes) - self->size; + assert(self->size >= self->pos); + n = self->size - self->pos; + /* The difference can overflow, only if self->size is greater than + * PY_SSIZE_T_MAX. But then the operation cannot possibly succeed, + * because the mapped area and the returned string each need more + * than half of the addressable memory. So we clip the size, and let + * the code below raise MemoryError. + */ + if (n < 0) + n = PY_SSIZE_T_MAX; + if (num_bytes < 0 || num_bytes > n) { + num_bytes = n; } result = PyBytes_FromStringAndSize(self->data+self->pos, num_bytes); self->pos += num_bytes; |