summaryrefslogtreecommitdiffstats
path: root/Modules
diff options
context:
space:
mode:
authorSerhiy Storchaka <storchaka@gmail.com>2016-09-14 13:34:37 (GMT)
committerSerhiy Storchaka <storchaka@gmail.com>2016-09-14 13:34:37 (GMT)
commite6265e92bfbc3cda50cc71f049552217db65bf94 (patch)
tree05fde6152f1504f0b0dce23a0171f6ed8e309583 /Modules
parent7ce201322edf76ad75038ad84229a070bec34be2 (diff)
downloadcpython-e6265e92bfbc3cda50cc71f049552217db65bf94.zip
cpython-e6265e92bfbc3cda50cc71f049552217db65bf94.tar.gz
cpython-e6265e92bfbc3cda50cc71f049552217db65bf94.tar.bz2
Issue #27599: Fixed buffer overrun in binascii.b2a_qp() and binascii.a2b_qp().
Diffstat (limited to 'Modules')
-rw-r--r--Modules/binascii.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/Modules/binascii.c b/Modules/binascii.c
index f0b47d8..1a40b41 100644
--- a/Modules/binascii.c
+++ b/Modules/binascii.c
@@ -1290,7 +1290,8 @@ binascii_a2b_qp_impl(PyObject *module, Py_buffer *data, int header)
odata[out++] = '=';
in++;
}
- else if (((ascii_data[in] >= 'A' && ascii_data[in] <= 'F') ||
+ else if ((in + 1 < datalen) &&
+ ((ascii_data[in] >= 'A' && ascii_data[in] <= 'F') ||
(ascii_data[in] >= 'a' && ascii_data[in] <= 'f') ||
(ascii_data[in] >= '0' && ascii_data[in] <= '9')) &&
((ascii_data[in+1] >= 'A' && ascii_data[in+1] <= 'F') ||
@@ -1388,7 +1389,8 @@ binascii_b2a_qp_impl(PyObject *module, Py_buffer *data, int quotetabs,
(databuf[in] == '=') ||
(header && databuf[in] == '_') ||
((databuf[in] == '.') && (linelen == 0) &&
- (databuf[in+1] == '\n' || databuf[in+1] == '\r' || databuf[in+1] == 0)) ||
+ (in + 1 == datalen || databuf[in+1] == '\n' ||
+ databuf[in+1] == '\r' || databuf[in+1] == 0)) ||
(!istext && ((databuf[in] == '\r') || (databuf[in] == '\n'))) ||
((databuf[in] == '\t' || databuf[in] == ' ') && (in + 1 == datalen)) ||
((databuf[in] < 33) &&
@@ -1464,13 +1466,13 @@ binascii_b2a_qp_impl(PyObject *module, Py_buffer *data, int quotetabs,
(databuf[in] == '=') ||
(header && databuf[in] == '_') ||
((databuf[in] == '.') && (linelen == 0) &&
- (databuf[in+1] == '\n' || databuf[in+1] == '\r' || databuf[in+1] == 0)) ||
+ (in + 1 == datalen || databuf[in+1] == '\n' ||
+ databuf[in+1] == '\r' || databuf[in+1] == 0)) ||
(!istext && ((databuf[in] == '\r') || (databuf[in] == '\n'))) ||
((databuf[in] == '\t' || databuf[in] == ' ') && (in + 1 == datalen)) ||
((databuf[in] < 33) &&
(databuf[in] != '\r') && (databuf[in] != '\n') &&
- (quotetabs ||
- (!quotetabs && ((databuf[in] != '\t') && (databuf[in] != ' '))))))
+ (quotetabs || ((databuf[in] != '\t') && (databuf[in] != ' ')))))
{
if ((linelen + 3 )>= MAXLINESIZE) {
odata[out++] = '=';