diff options
author | Serhiy Storchaka <storchaka@gmail.com> | 2016-09-14 13:34:37 (GMT) |
---|---|---|
committer | Serhiy Storchaka <storchaka@gmail.com> | 2016-09-14 13:34:37 (GMT) |
commit | e6265e92bfbc3cda50cc71f049552217db65bf94 (patch) | |
tree | 05fde6152f1504f0b0dce23a0171f6ed8e309583 /Modules | |
parent | 7ce201322edf76ad75038ad84229a070bec34be2 (diff) | |
download | cpython-e6265e92bfbc3cda50cc71f049552217db65bf94.zip cpython-e6265e92bfbc3cda50cc71f049552217db65bf94.tar.gz cpython-e6265e92bfbc3cda50cc71f049552217db65bf94.tar.bz2 |
Issue #27599: Fixed buffer overrun in binascii.b2a_qp() and binascii.a2b_qp().
Diffstat (limited to 'Modules')
-rw-r--r-- | Modules/binascii.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/Modules/binascii.c b/Modules/binascii.c index f0b47d8..1a40b41 100644 --- a/Modules/binascii.c +++ b/Modules/binascii.c @@ -1290,7 +1290,8 @@ binascii_a2b_qp_impl(PyObject *module, Py_buffer *data, int header) odata[out++] = '='; in++; } - else if (((ascii_data[in] >= 'A' && ascii_data[in] <= 'F') || + else if ((in + 1 < datalen) && + ((ascii_data[in] >= 'A' && ascii_data[in] <= 'F') || (ascii_data[in] >= 'a' && ascii_data[in] <= 'f') || (ascii_data[in] >= '0' && ascii_data[in] <= '9')) && ((ascii_data[in+1] >= 'A' && ascii_data[in+1] <= 'F') || @@ -1388,7 +1389,8 @@ binascii_b2a_qp_impl(PyObject *module, Py_buffer *data, int quotetabs, (databuf[in] == '=') || (header && databuf[in] == '_') || ((databuf[in] == '.') && (linelen == 0) && - (databuf[in+1] == '\n' || databuf[in+1] == '\r' || databuf[in+1] == 0)) || + (in + 1 == datalen || databuf[in+1] == '\n' || + databuf[in+1] == '\r' || databuf[in+1] == 0)) || (!istext && ((databuf[in] == '\r') || (databuf[in] == '\n'))) || ((databuf[in] == '\t' || databuf[in] == ' ') && (in + 1 == datalen)) || ((databuf[in] < 33) && @@ -1464,13 +1466,13 @@ binascii_b2a_qp_impl(PyObject *module, Py_buffer *data, int quotetabs, (databuf[in] == '=') || (header && databuf[in] == '_') || ((databuf[in] == '.') && (linelen == 0) && - (databuf[in+1] == '\n' || databuf[in+1] == '\r' || databuf[in+1] == 0)) || + (in + 1 == datalen || databuf[in+1] == '\n' || + databuf[in+1] == '\r' || databuf[in+1] == 0)) || (!istext && ((databuf[in] == '\r') || (databuf[in] == '\n'))) || ((databuf[in] == '\t' || databuf[in] == ' ') && (in + 1 == datalen)) || ((databuf[in] < 33) && (databuf[in] != '\r') && (databuf[in] != '\n') && - (quotetabs || - (!quotetabs && ((databuf[in] != '\t') && (databuf[in] != ' ')))))) + (quotetabs || ((databuf[in] != '\t') && (databuf[in] != ' '))))) { if ((linelen + 3 )>= MAXLINESIZE) { odata[out++] = '='; |