diff options
| author | Neal Norwitz <nnorwitz@gmail.com> | 2007-06-09 03:36:34 (GMT) |
|---|---|---|
| committer | Neal Norwitz <nnorwitz@gmail.com> | 2007-06-09 03:36:34 (GMT) |
| commit | 7dbd2a3720be7f54068f8a8f3fa2176dd2ab1ebe (patch) | |
| tree | 6a7fe07925a49b6d79d09e562816ec29fa9b6482 /Objects | |
| parent | ea7f88e3d9cc42d7cfa9e87cc248103532c9d4d4 (diff) | |
| download | cpython-7dbd2a3720be7f54068f8a8f3fa2176dd2ab1ebe.zip cpython-7dbd2a3720be7f54068f8a8f3fa2176dd2ab1ebe.tar.gz cpython-7dbd2a3720be7f54068f8a8f3fa2176dd2ab1ebe.tar.bz2 | |
Prevent expandtabs() on string and unicode objects from causing a segfault when
a large width is passed on 32-bit platforms. Found by Google.
It would be good for people to review this especially carefully and verify
I don't have an off by one error and there is no other way to cause overflow.
Diffstat (limited to 'Objects')
| -rw-r--r-- | Objects/stringobject.c | 17 | ||||
| -rw-r--r-- | Objects/unicodeobject.c | 17 |
2 files changed, 28 insertions, 6 deletions
diff --git a/Objects/stringobject.c b/Objects/stringobject.c index 63e1381..d7ad5cc 100644 --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -3307,7 +3307,7 @@ string_expandtabs(PyStringObject *self, PyObject *args) { const char *e, *p; char *q; - Py_ssize_t i, j; + Py_ssize_t i, j, old_j; PyObject *u; int tabsize = 8; @@ -3315,12 +3315,18 @@ string_expandtabs(PyStringObject *self, PyObject *args) return NULL; /* First pass: determine size of output string */ - i = j = 0; + i = j = old_j = 0; e = PyString_AS_STRING(self) + PyString_GET_SIZE(self); for (p = PyString_AS_STRING(self); p < e; p++) if (*p == '\t') { - if (tabsize > 0) + if (tabsize > 0) { j += tabsize - (j % tabsize); + if (old_j > j) { + PyErr_SetString(PyExc_OverflowError, "new string is too long"); + return NULL; + } + old_j = j; + } } else { j++; @@ -3330,6 +3336,11 @@ string_expandtabs(PyStringObject *self, PyObject *args) } } + if ((i + j) < 0) { + PyErr_SetString(PyExc_OverflowError, "new string is too long"); + return NULL; + } + /* Second pass: create output string and fill it */ u = PyString_FromStringAndSize(NULL, i + j); if (!u) diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index a49fe39..3481d19 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -5690,7 +5690,7 @@ unicode_expandtabs(PyUnicodeObject *self, PyObject *args) Py_UNICODE *e; Py_UNICODE *p; Py_UNICODE *q; - Py_ssize_t i, j; + Py_ssize_t i, j, old_j; PyUnicodeObject *u; int tabsize = 8; @@ -5698,12 +5698,18 @@ unicode_expandtabs(PyUnicodeObject *self, PyObject *args) return NULL; /* First pass: determine size of output string */ - i = j = 0; + i = j = old_j = 0; e = self->str + self->length; for (p = self->str; p < e; p++) if (*p == '\t') { - if (tabsize > 0) + if (tabsize > 0) { j += tabsize - (j % tabsize); + if (old_j > j) { + PyErr_SetString(PyExc_OverflowError, "new string is too long"); + return NULL; + } + old_j = j; + } } else { j++; @@ -5713,6 +5719,11 @@ unicode_expandtabs(PyUnicodeObject *self, PyObject *args) } } + if ((i + j) < 0) { + PyErr_SetString(PyExc_OverflowError, "new string is too long"); + return NULL; + } + /* Second pass: create output string and fill it */ u = _PyUnicode_New(i + j); if (!u) |