diff options
author | Martin Panter <vadmium+py@gmail.com> | 2015-11-07 02:32:21 (GMT) |
---|---|---|
committer | Martin Panter <vadmium+py@gmail.com> | 2015-11-07 02:32:21 (GMT) |
commit | eeb896c4116dd763efea45cb3c1b53257128f4e4 (patch) | |
tree | 34e8df45212ee5c99849dfca30977b92901615d6 /Objects/abstract.c | |
parent | 9ad0aae6566311c6982a20955381cda5a2954519 (diff) | |
download | cpython-eeb896c4116dd763efea45cb3c1b53257128f4e4.zip cpython-eeb896c4116dd763efea45cb3c1b53257128f4e4.tar.gz cpython-eeb896c4116dd763efea45cb3c1b53257128f4e4.tar.bz2 |
Issue #24802: Copy bytes-like objects to null-terminated buffers if necessary
This avoids possible buffer overreads when int(), float(), compile(), exec()
and eval() are passed bytes-like objects. Similar code is removed from the
complex() constructor, where it was not reachable.
Patch by John Leitch, Serhiy Storchaka and Martin Panter.
Diffstat (limited to 'Objects/abstract.c')
-rw-r--r-- | Objects/abstract.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/Objects/abstract.c b/Objects/abstract.c index a20a84c..5e96138 100644 --- a/Objects/abstract.c +++ b/Objects/abstract.c @@ -1264,12 +1264,30 @@ PyNumber_Long(PyObject *o) /* The below check is done in PyLong_FromUnicode(). */ return PyLong_FromUnicodeObject(o, 10); - if (PyObject_GetBuffer(o, &view, PyBUF_SIMPLE) == 0) { + if (PyBytes_Check(o)) /* need to do extra error checking that PyLong_FromString() * doesn't do. In particular int('9\x005') must raise an * exception, not truncate at the null. */ - PyObject *result = _PyLong_FromBytes(view.buf, view.len, 10); + return _PyLong_FromBytes(PyBytes_AS_STRING(o), + PyBytes_GET_SIZE(o), 10); + + if (PyByteArray_Check(o)) + return _PyLong_FromBytes(PyByteArray_AS_STRING(o), + PyByteArray_GET_SIZE(o), 10); + + if (PyObject_GetBuffer(o, &view, PyBUF_SIMPLE) == 0) { + PyObject *result, *bytes; + + /* Copy to NUL-terminated buffer. */ + bytes = PyBytes_FromStringAndSize((const char *)view.buf, view.len); + if (bytes == NULL) { + PyBuffer_Release(&view); + return NULL; + } + result = _PyLong_FromBytes(PyBytes_AS_STRING(bytes), + PyBytes_GET_SIZE(bytes), 10); + Py_DECREF(bytes); PyBuffer_Release(&view); return result; } |