From 2ecd3c36b584692f46cddf209f7c09edddd21673 Mon Sep 17 00:00:00 2001
From: Jack Diederich <jackdied@gmail.com>
Date: Wed, 1 Apr 2009 20:26:13 +0000
Subject: bounds check arguments to mmap.move().  All of them.  Really. fixes
 crasher on OS X 10.5

---
 Lib/test/test_mmap.py | 21 ++++++++++++++-------
 Modules/mmapmodule.c  | 18 +++++++++---------
 2 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/Lib/test/test_mmap.py b/Lib/test/test_mmap.py
index 1a23f2e..d6c62c1 100644
--- a/Lib/test/test_mmap.py
+++ b/Lib/test/test_mmap.py
@@ -359,15 +359,22 @@ class MmapTests(unittest.TestCase):
                 m.move(source, dest, size)
             except ValueError:
                 pass
-        self.assertRaises(ValueError, m.move, -1, -1, -1)
-        self.assertRaises(ValueError, m.move, -1, -1, 0)
-        self.assertRaises(ValueError, m.move, -1, 0, -1)
-        self.assertRaises(ValueError, m.move, 0, -1, -1)
-        self.assertRaises(ValueError, m.move, -1, 0, 0)
-        self.assertRaises(ValueError, m.move, 0, -1, 0)
-        self.assertRaises(ValueError, m.move, 0, 0, -1)
+
+        offsets = [(-1, -1, -1), (-1, -1, 0), (-1, 0, -1), (0, -1, -1),
+                   (-1, 0, 0), (0, -1, 0), (0, 0, -1)]
+        for source, dest, size in offsets:
+            self.assertRaises(ValueError, m.move, source, dest, size)
+
         m.close()
 
+        m = mmap.mmap(-1, 1) # single byte
+        self.assertRaises(ValueError, m.move, 0, 0, 2)
+        self.assertRaises(ValueError, m.move, 1, 0, 1)
+        self.assertRaises(ValueError, m.move, 0, 1, 1)
+        m.move(0, 0, 1)
+        m.move(0, 0, 0)
+
+
     def test_anonymous(self):
         # anonymous mmap.mmap(-1, PAGE)
         m = mmap.mmap(-1, PAGESIZE)
diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c
index cbacc2f..f660d6b 100644
--- a/Modules/mmapmodule.c
+++ b/Modules/mmapmodule.c
@@ -609,23 +609,23 @@ mmap_seek_method(mmap_object *self, PyObject *args)
 static PyObject *
 mmap_move_method(mmap_object *self, PyObject *args)
 {
-	unsigned long dest, src, count;
+	unsigned long dest, src, cnt;
 	CHECK_VALID(NULL);
-	if (!PyArg_ParseTuple(args, "kkk:move", &dest, &src, &count) ||
+	if (!PyArg_ParseTuple(args, "kkk:move", &dest, &src, &cnt) ||
 	    !is_writeable(self)) {
 		return NULL;
 	} else {
 		/* bounds check the values */
-		unsigned long pos = src > dest ? src : dest;
-		if (self->size < pos || count > self->size - pos) {
+		if (cnt < 0 || (cnt + dest) < cnt || (cnt + src) < cnt ||
+		   src < 0 || src > self->size || (src + cnt) > self->size ||
+		   dest < 0 || dest > self->size || (dest + cnt) > self->size) {
 			PyErr_SetString(PyExc_ValueError,
-					"source or destination out of range");
+				"source, destination, or count out of range");
 			return NULL;
-		} else {
-			memmove(self->data+dest, self->data+src, count);
-			Py_INCREF(Py_None);
-			return Py_None;
 		}
+		memmove(self->data+dest, self->data+src, cnt);
+		Py_INCREF(Py_None);
+		return Py_None;
 	}
 }
 
-- 
cgit v0.12