diff options
author | Tim Peters <tim.peters@gmail.com> | 2001-12-19 04:41:35 (GMT) |
---|---|---|
committer | Tim Peters <tim.peters@gmail.com> | 2001-12-19 04:41:35 (GMT) |
commit | 1fbb577ee26becacf53b92c53df356aaf227ea73 (patch) | |
tree | 269809974f51b25df90a37f3ee687d66c3c20150 /Modules | |
parent | b6d14daa1c48d8938a140a671bcd17cb40cdd54d (diff) | |
download | cpython-1fbb577ee26becacf53b92c53df356aaf227ea73.zip cpython-1fbb577ee26becacf53b92c53df356aaf227ea73.tar.gz cpython-1fbb577ee26becacf53b92c53df356aaf227ea73.tar.bz2 |
SF bug #494738: binascii_b2a_base64 overwrites memory.
binascii_b2a_base64(): We didn't allocate enough buffer space for very
short inputs (e.g., a 1-byte input can produce a 5-byte output, but we
only allocated 2 bytes). I expect that malloc overheads absorbed the
overrun in practice, but computing a correct upper bound is a very simple
change.
Diffstat (limited to 'Modules')
-rw-r--r-- | Modules/binascii.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/Modules/binascii.c b/Modules/binascii.c index 643450c..9ef3054 100644 --- a/Modules/binascii.c +++ b/Modules/binascii.c @@ -137,7 +137,7 @@ static char table_a2b_base64[] = { #define BASE64_PAD '=' /* Max binary chunk size; limited only by available memory */ -#define BASE64_MAXBIN (INT_MAX/2 - sizeof(PyStringObject)) +#define BASE64_MAXBIN (INT_MAX/2 - sizeof(PyStringObject) - 3) static unsigned char table_b2a_base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; @@ -436,8 +436,10 @@ binascii_b2a_base64(PyObject *self, PyObject *args) return NULL; } - /* We're lazy and allocate to much (fixed up later) */ - if ( (rv=PyString_FromStringAndSize(NULL, bin_len*2)) == NULL ) + /* We're lazy and allocate too much (fixed up later). + "+3" leaves room for up to two pad characters and a trailing + newline. Note that 'b' gets encoded as 'Yg==\n' (1 in, 5 out). */ + if ( (rv=PyString_FromStringAndSize(NULL, bin_len*2 + 3)) == NULL ) return NULL; ascii_data = (unsigned char *)PyString_AsString(rv); |