Issue #27599: Fixed buffer overrun in binascii.b2a_qp() and binascii.a2b_qp().

author: Serhiy Storchaka <storchaka@gmail.com> 2016-09-14 13:37:34 (GMT)
committer: Serhiy Storchaka <storchaka@gmail.com> 2016-09-14 13:37:34 (GMT)
commit: 62a1f024b47a8eaac19d4aec7b6d22da263d5585 (patch)
tree: a71a146ee9c7840b63eeb870438b3c5bfbdf334d /Modules
parent: 611b0fa94ce935235599a4bf666aef88e46f0b3b (diff)
parent: e6265e92bfbc3cda50cc71f049552217db65bf94 (diff)
download: cpython-62a1f024b47a8eaac19d4aec7b6d22da263d5585.zip
cpython-62a1f024b47a8eaac19d4aec7b6d22da263d5585.tar.gz
cpython-62a1f024b47a8eaac19d4aec7b6d22da263d5585.tar.bz2
1 files changed, 7 insertions, 5 deletions
diff --git a/Modules/binascii.c b/Modules/binascii.c
index c3320ce..9b9cd7f 100644
--- a/Modules/binascii.c
+++ b/Modules/binascii.c
@@ -1276,7 +1276,8 @@ binascii_a2b_qp_impl(PyObject *module, Py_buffer *data, int header)
                 odata[out++] = '=';
                 in++;
             }
-            else if (((ascii_data[in] >= 'A' && ascii_data[in] <= 'F') ||
+            else if ((in + 1 < datalen) &&
+                     ((ascii_data[in] >= 'A' && ascii_data[in] <= 'F') ||
                       (ascii_data[in] >= 'a' && ascii_data[in] <= 'f') ||
                       (ascii_data[in] >= '0' && ascii_data[in] <= '9')) &&
                      ((ascii_data[in+1] >= 'A' && ascii_data[in+1] <= 'F') ||
@@ -1375,7 +1376,8 @@ binascii_b2a_qp_impl(PyObject *module, Py_buffer *data, int quotetabs,
             (databuf[in] == '=') ||
             (header && databuf[in] == '_') ||
             ((databuf[in] == '.') && (linelen == 0) &&
-             (databuf[in+1] == '\n' || databuf[in+1] == '\r' || databuf[in+1] == 0)) ||
+             (in + 1 == datalen || databuf[in+1] == '\n' ||
+              databuf[in+1] == '\r' || databuf[in+1] == 0)) ||
             (!istext && ((databuf[in] == '\r') || (databuf[in] == '\n'))) ||
             ((databuf[in] == '\t' || databuf[in] == ' ') && (in + 1 == datalen)) ||
             ((databuf[in] < 33) &&
@@ -1451,13 +1453,13 @@ binascii_b2a_qp_impl(PyObject *module, Py_buffer *data, int quotetabs,
             (databuf[in] == '=') ||
             (header && databuf[in] == '_') ||
             ((databuf[in] == '.') && (linelen == 0) &&
-             (databuf[in+1] == '\n' || databuf[in+1] == '\r' || databuf[in+1] == 0)) ||
+             (in + 1 == datalen || databuf[in+1] == '\n' ||
+              databuf[in+1] == '\r' || databuf[in+1] == 0)) ||
             (!istext && ((databuf[in] == '\r') || (databuf[in] == '\n'))) ||
             ((databuf[in] == '\t' || databuf[in] == ' ') && (in + 1 == datalen)) ||
             ((databuf[in] < 33) &&
              (databuf[in] != '\r') && (databuf[in] != '\n') &&
-             (quotetabs ||
-            (!quotetabs && ((databuf[in] != '\t') && (databuf[in] != ' '))))))
+             (quotetabs || ((databuf[in] != '\t') && (databuf[in] != ' ')))))
         {
             if ((linelen + 3 )>= MAXLINESIZE) {
                 odata[out++] = '=';
author	Serhiy Storchaka <storchaka@gmail.com>	2016-09-14 13:37:34 (GMT)
committer	Serhiy Storchaka <storchaka@gmail.com>	2016-09-14 13:37:34 (GMT)
commit	62a1f024b47a8eaac19d4aec7b6d22da263d5585 (patch)
tree	a71a146ee9c7840b63eeb870438b3c5bfbdf334d /Modules
parent	611b0fa94ce935235599a4bf666aef88e46f0b3b (diff)
parent	e6265e92bfbc3cda50cc71f049552217db65bf94 (diff)
download	cpython-62a1f024b47a8eaac19d4aec7b6d22da263d5585.zip cpython-62a1f024b47a8eaac19d4aec7b6d22da263d5585.tar.gz cpython-62a1f024b47a8eaac19d4aec7b6d22da263d5585.tar.bz2