summaryrefslogtreecommitdiffstats
path: root/Modules
diff options
context:
space:
mode:
authorBenjamin Peterson <benjamin@python.org>2016-08-14 01:33:33 (GMT)
committerBenjamin Peterson <benjamin@python.org>2016-08-14 01:33:33 (GMT)
commit4f976513efd8d411126e09d036842d0691c49c82 (patch)
tree99d85f9acb90e9f3cd36f735b41ed0e03a88eaa1 /Modules
parent6e01d90cc8bfac920bd4f7143b3968a8a21079d9 (diff)
downloadcpython-4f976513efd8d411126e09d036842d0691c49c82.zip
cpython-4f976513efd8d411126e09d036842d0691c49c82.tar.gz
cpython-4f976513efd8d411126e09d036842d0691c49c82.tar.bz2
fix possible integer overflow in binascii.b2a_qp (closes #27760)
Reported by Thomas E. Hybel
Diffstat (limited to 'Modules')
-rw-r--r--Modules/binascii.c25
1 files changed, 16 insertions, 9 deletions
diff --git a/Modules/binascii.c b/Modules/binascii.c
index a84badc7..829bde8 100644
--- a/Modules/binascii.c
+++ b/Modules/binascii.c
@@ -1365,6 +1365,7 @@ binascii_b2a_qp (PyObject *self, PyObject *args, PyObject *kwargs)
/* First, scan to see how many characters need to be encoded */
in = 0;
while (in < datalen) {
+ Py_ssize_t delta = 0;
if ((data[in] > 126) ||
(data[in] == '=') ||
(header && data[in] == '_') ||
@@ -1379,12 +1380,12 @@ binascii_b2a_qp (PyObject *self, PyObject *args, PyObject *kwargs)
if ((linelen + 3) >= MAXLINESIZE) {
linelen = 0;
if (crlf)
- odatalen += 3;
+ delta += 3;
else
- odatalen += 2;
+ delta += 2;
}
linelen += 3;
- odatalen += 3;
+ delta += 3;
in++;
}
else {
@@ -1396,11 +1397,11 @@ binascii_b2a_qp (PyObject *self, PyObject *args, PyObject *kwargs)
linelen = 0;
/* Protect against whitespace on end of line */
if (in && ((data[in-1] == ' ') || (data[in-1] == '\t')))
- odatalen += 2;
+ delta += 2;
if (crlf)
- odatalen += 2;
+ delta += 2;
else
- odatalen += 1;
+ delta += 1;
if (data[in] == '\r')
in += 2;
else
@@ -1412,15 +1413,21 @@ binascii_b2a_qp (PyObject *self, PyObject *args, PyObject *kwargs)
(linelen + 1) >= MAXLINESIZE) {
linelen = 0;
if (crlf)
- odatalen += 3;
+ delta += 3;
else
- odatalen += 2;
+ delta += 2;
}
linelen++;
- odatalen++;
+ delta++;
in++;
}
}
+ if (PY_SSIZE_T_MAX - delta < odatalen) {
+ PyBuffer_Release(&pdata);
+ PyErr_NoMemory();
+ return NULL;
+ }
+ odatalen += delta;
}
/* We allocate the output same size as input, this is overkill.