diff options
| author | Andrew M. Kuchling <amk@amk.ca> | 2000-07-12 01:27:18 (GMT) |
|---|---|---|
| committer | Andrew M. Kuchling <amk@amk.ca> | 2000-07-12 01:27:18 (GMT) |
| commit | c72c3bed779d9176096abf487ca855aa2871edd8 (patch) | |
| tree | 3e8f9b56d740f573bac987f3e5bf9f8343c946b4 /Modules | |
| parent | a4e75d74f8a5569ab6343ae6d5d769bf689e6094 (diff) | |
| download | cpython-c72c3bed779d9176096abf487ca855aa2871edd8.zip cpython-c72c3bed779d9176096abf487ca855aa2871edd8.tar.gz cpython-c72c3bed779d9176096abf487ca855aa2871edd8.tar.bz2 | |
Fix bugs in readinst():
* There was no error reported if the .read() method returns a non-string
* If read() returned too much data, the buffer would be overflowed causing a
core dump
* Used strncpy, not memcpy, which seems incorrect if there are embedded \0s.
* The args and bytes objects were leaked
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/pyexpat.c | 35 |
1 files changed, 25 insertions, 10 deletions
diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c index f0b17c5..05bb703 100644 --- a/Modules/pyexpat.c +++ b/Modules/pyexpat.c @@ -446,7 +446,7 @@ int readinst(char *buf, int buf_size, PyObject *meth){ PyObject *arg=NULL; PyObject *bytes=NULL; PyObject *str=NULL; - int len = 0; + int len = -1; UNLESS(bytes = PyInt_FromLong(buf_size)) { if (!PyErr_Occurred()) @@ -458,20 +458,33 @@ int readinst(char *buf, int buf_size, PyObject *meth){ UNLESS(arg = PyTuple_New(1)) goto finally; - Py_INCREF(bytes); if (PyTuple_SetItem(arg, 0, bytes) < 0) goto finally; UNLESS(str = PyObject_CallObject(meth, arg)) goto finally; - UNLESS(PyString_Check( str )) + /* XXX what to do if it returns a Unicode string? */ + UNLESS(PyString_Check( str )) { + PyErr_Format(PyExc_TypeError, + "read() did not return a string object (type=%.400s)", + str->ob_type->tp_name); goto finally; - + } + len = PyString_GET_SIZE(str); - strncpy(buf, PyString_AsString(str), len); + if (len > buf_size) { + PyErr_Format(PyExc_ValueError, + "read() returned too much data: " + "%i bytes requested, %i returned", + buf_size, len); + Py_DECREF(str); + goto finally; + } + memcpy(buf, PyString_AsString(str), len); Py_XDECREF(str); finally: + Py_XDECREF(arg); return len; } @@ -512,14 +525,16 @@ xmlparse_ParseFile( xmlparseobject *self, PyObject *args ) if( fp ){ bytes_read=fread( buf, sizeof( char ), BUF_SIZE, fp); - }else{ + if (bytes_read < 0) { + PyErr_SetFromErrno(PyExc_IOError); + return NULL; + } + } else { bytes_read=readinst( buf, BUF_SIZE, readmethod ); + if (bytes_read < 0) + return NULL; } - if (bytes_read < 0) { - PyErr_SetFromErrno(PyExc_IOError); - return NULL; - } rv=XML_ParseBuffer(self->itself, bytes_read, bytes_read == 0); if( PyErr_Occurred() ){ return NULL; |