summaryrefslogtreecommitdiffstats
path: root/Modules
diff options
context:
space:
mode:
authorSerhiy Storchaka <storchaka@gmail.com>2013-04-13 18:15:47 (GMT)
committerSerhiy Storchaka <storchaka@gmail.com>2013-04-13 18:15:47 (GMT)
commit4bb17348f5507f42f62d15b16ca0672e802f619c (patch)
tree5316a0216b116ee0c90c413b65bdc62f02882161 /Modules
parentf756f947f95b4b094d75f98d74b96ab3061133a3 (diff)
downloadcpython-4bb17348f5507f42f62d15b16ca0672e802f619c.zip
cpython-4bb17348f5507f42f62d15b16ca0672e802f619c.tar.gz
cpython-4bb17348f5507f42f62d15b16ca0672e802f619c.tar.bz2
Issue #17016: Get rid of possible pointer wraparounds and integer overflows
in the re module. Patch by Nickolai Zeldovich.
Diffstat (limited to 'Modules')
-rw-r--r--Modules/_sre.c22
1 files changed, 11 insertions, 11 deletions
diff --git a/Modules/_sre.c b/Modules/_sre.c
index 7e447a9..19571fb 100644
--- a/Modules/_sre.c
+++ b/Modules/_sre.c
@@ -655,7 +655,7 @@ do { \
alloc_pos = state->data_stack_base; \
TRACE(("allocating %s in %d (%d)\n", \
SFY(type), alloc_pos, sizeof(type))); \
- if (state->data_stack_size < alloc_pos+sizeof(type)) { \
+ if (sizeof(type) > state->data_stack_size - alloc_pos) { \
int j = data_stack_grow(state, sizeof(type)); \
if (j < 0) return j; \
if (ctx_pos != -1) \
@@ -675,7 +675,7 @@ do { \
do { \
TRACE(("copy data in %p to %d (%d)\n", \
data, state->data_stack_base, size)); \
- if (state->data_stack_size < state->data_stack_base+size) { \
+ if (size > state->data_stack_size - state->data_stack_base) { \
int j = data_stack_grow(state, size); \
if (j < 0) return j; \
if (ctx_pos != -1) \
@@ -997,7 +997,7 @@ entrance:
TRACE(("|%p|%p|REPEAT_ONE %d %d\n", ctx->pattern, ctx->ptr,
ctx->pattern[1], ctx->pattern[2]));
- if (ctx->ptr + state->charsize * ctx->pattern[1] > end)
+ if (ctx->pattern[1] > (end - ctx->ptr) / state->charsize)
RETURN_FAILURE; /* cannot match */
state->ptr = ctx->ptr;
@@ -1081,7 +1081,7 @@ entrance:
TRACE(("|%p|%p|MIN_REPEAT_ONE %d %d\n", ctx->pattern, ctx->ptr,
ctx->pattern[1], ctx->pattern[2]));
- if (ctx->ptr + state->charsize * ctx->pattern[1] > end)
+ if (ctx->pattern[1] > (end - ctx->ptr) / state->charsize)
RETURN_FAILURE; /* cannot match */
state->ptr = ctx->ptr;
@@ -2779,7 +2779,7 @@ _compile(PyObject* self_, PyObject* args)
skip = *code; \
VTRACE(("%lu (skip to %p)\n", \
(unsigned long)skip, code+skip)); \
- if (code+skip-adj < code || code+skip-adj > end)\
+ if (skip-adj > end-code) \
FAIL; \
code++; \
} while (0)
@@ -2812,7 +2812,7 @@ _validate_charset(SRE_CODE *code, SRE_CODE *end)
case SRE_OP_CHARSET:
offset = 32/sizeof(SRE_CODE); /* 32-byte bitmap */
- if (code+offset < code || code+offset > end)
+ if (offset > end-code)
FAIL;
code += offset;
break;
@@ -2820,7 +2820,7 @@ _validate_charset(SRE_CODE *code, SRE_CODE *end)
case SRE_OP_BIGCHARSET:
GET_ARG; /* Number of blocks */
offset = 256/sizeof(SRE_CODE); /* 256-byte table */
- if (code+offset < code || code+offset > end)
+ if (offset > end-code)
FAIL;
/* Make sure that each byte points to a valid block */
for (i = 0; i < 256; i++) {
@@ -2829,7 +2829,7 @@ _validate_charset(SRE_CODE *code, SRE_CODE *end)
}
code += offset;
offset = arg * 32/sizeof(SRE_CODE); /* 32-byte bitmap times arg */
- if (code+offset < code || code+offset > end)
+ if (offset > end-code)
FAIL;
code += offset;
break;
@@ -2980,11 +2980,11 @@ _validate_inner(SRE_CODE *code, SRE_CODE *end, Py_ssize_t groups)
GET_ARG; prefix_len = arg;
GET_ARG;
/* Here comes the prefix string */
- if (code+prefix_len < code || code+prefix_len > newcode)
+ if (prefix_len > newcode-code)
FAIL;
code += prefix_len;
/* And here comes the overlap table */
- if (code+prefix_len < code || code+prefix_len > newcode)
+ if (prefix_len > newcode-code)
FAIL;
/* Each overlap value should be < prefix_len */
for (i = 0; i < prefix_len; i++) {
@@ -3113,7 +3113,7 @@ _validate_inner(SRE_CODE *code, SRE_CODE *end, Py_ssize_t groups)
to allow arbitrary jumps anywhere in the code; so we just look
for a JUMP opcode preceding our skip target.
*/
- if (skip >= 3 && code+skip-3 >= code &&
+ if (skip >= 3 && skip-3 < end-code &&
code[skip-3] == SRE_OP_JUMP)
{
VTRACE(("both then and else parts present\n"));