summaryrefslogtreecommitdiffstats
path: root/Modules
diff options
context:
space:
mode:
authorTim Peters <tim.peters@gmail.com>2001-12-19 04:41:35 (GMT)
committerTim Peters <tim.peters@gmail.com>2001-12-19 04:41:35 (GMT)
commit1fbb577ee26becacf53b92c53df356aaf227ea73 (patch)
tree269809974f51b25df90a37f3ee687d66c3c20150 /Modules
parentb6d14daa1c48d8938a140a671bcd17cb40cdd54d (diff)
downloadcpython-1fbb577ee26becacf53b92c53df356aaf227ea73.zip
cpython-1fbb577ee26becacf53b92c53df356aaf227ea73.tar.gz
cpython-1fbb577ee26becacf53b92c53df356aaf227ea73.tar.bz2
SF bug #494738: binascii_b2a_base64 overwrites memory.
binascii_b2a_base64(): We didn't allocate enough buffer space for very short inputs (e.g., a 1-byte input can produce a 5-byte output, but we only allocated 2 bytes). I expect that malloc overheads absorbed the overrun in practice, but computing a correct upper bound is a very simple change.
Diffstat (limited to 'Modules')
-rw-r--r--Modules/binascii.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/Modules/binascii.c b/Modules/binascii.c
index 643450c..9ef3054 100644
--- a/Modules/binascii.c
+++ b/Modules/binascii.c
@@ -137,7 +137,7 @@ static char table_a2b_base64[] = {
#define BASE64_PAD '='
/* Max binary chunk size; limited only by available memory */
-#define BASE64_MAXBIN (INT_MAX/2 - sizeof(PyStringObject))
+#define BASE64_MAXBIN (INT_MAX/2 - sizeof(PyStringObject) - 3)
static unsigned char table_b2a_base64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
@@ -436,8 +436,10 @@ binascii_b2a_base64(PyObject *self, PyObject *args)
return NULL;
}
- /* We're lazy and allocate to much (fixed up later) */
- if ( (rv=PyString_FromStringAndSize(NULL, bin_len*2)) == NULL )
+ /* We're lazy and allocate too much (fixed up later).
+ "+3" leaves room for up to two pad characters and a trailing
+ newline. Note that 'b' gets encoded as 'Yg==\n' (1 in, 5 out). */
+ if ( (rv=PyString_FromStringAndSize(NULL, bin_len*2 + 3)) == NULL )
return NULL;
ascii_data = (unsigned char *)PyString_AsString(rv);