diff options
author | Eric Smith <eric@trueblade.com> | 2007-09-03 08:40:29 (GMT) |
---|---|---|
committer | Eric Smith <eric@trueblade.com> | 2007-09-03 08:40:29 (GMT) |
commit | 4cb4e4e882dcff50ffd2f5478ae63522657d7ce3 (patch) | |
tree | 0eeb9eaa7311e6c51c3686b7500fc69e1f6fda11 /Objects | |
parent | f82d9b52fae475a132a21d1b7174730f17b735de (diff) | |
download | cpython-4cb4e4e882dcff50ffd2f5478ae63522657d7ce3.zip cpython-4cb4e4e882dcff50ffd2f5478ae63522657d7ce3.tar.gz cpython-4cb4e4e882dcff50ffd2f5478ae63522657d7ce3.tar.bz2 |
Fix segfault discovered by Ron Adam. Not checking for terminating right bracket in "'{0[}'.format(())". Fixed, and tests added.
Diffstat (limited to 'Objects')
-rw-r--r-- | Objects/stringlib/string_format.h | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/Objects/stringlib/string_format.h b/Objects/stringlib/string_format.h index dbd01d3..de700f6 100644 --- a/Objects/stringlib/string_format.h +++ b/Objects/stringlib/string_format.h @@ -273,6 +273,7 @@ _FieldNameIterator_attr(FieldNameIterator *self, SubString *name) static int _FieldNameIterator_item(FieldNameIterator *self, SubString *name) { + int bracket_seen = 0; STRINGLIB_CHAR c; name->ptr = self->ptr; @@ -281,12 +282,19 @@ _FieldNameIterator_item(FieldNameIterator *self, SubString *name) while (self->ptr < self->str.end) { switch (c = *self->ptr++) { case ']': + bracket_seen = 1; break; default: continue; } break; } + /* make sure we ended with a ']' */ + if (!bracket_seen) { + PyErr_SetString(PyExc_ValueError, "Missing ']' in format string"); + return 0; + } + /* end of string is okay */ /* don't include the ']' */ name->end = self->ptr-1; @@ -305,16 +313,14 @@ FieldNameIterator_next(FieldNameIterator *self, int *is_attribute, switch (*self->ptr++) { case '.': *is_attribute = 1; - if (_FieldNameIterator_attr(self, name) == 0) { + if (_FieldNameIterator_attr(self, name) == 0) return 0; - } *name_idx = -1; break; case '[': *is_attribute = 0; - if (_FieldNameIterator_item(self, name) == 0) { + if (_FieldNameIterator_item(self, name) == 0) return 0; - } *name_idx = get_integer(name); break; default: |