From 6107a4e24a0347df6c1e337a23bdcc735539a0cf Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <solipsis@pitrou.net>
Date: Thu, 20 Jan 2011 21:11:13 +0000
Subject: Merged revisions 88131 via svnmerge from
 svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r88131 | antoine.pitrou | 2011-01-20 22:07:24 +0100 (jeu., 20 janv. 2011) | 6 lines

  Issue #10955: Fix a potential crash when trying to mmap() a file past its
  length.  Initial patch by Ross Lagerwall.

  This fixes a regression introduced by r88022.
........
---
 Lib/test/test_mmap.py | 13 +++++++++++++
 Misc/NEWS             |  3 +++
 Modules/mmapmodule.c  | 11 +++++++++++
 3 files changed, 27 insertions(+)

diff --git a/Lib/test/test_mmap.py b/Lib/test/test_mmap.py
index c20b96d..62569b9 100644
--- a/Lib/test/test_mmap.py
+++ b/Lib/test/test_mmap.py
@@ -341,6 +341,19 @@ class MmapTests(unittest.TestCase):
             finally:
                 mf.close()
 
+    def test_length_0_large_offset(self):
+        # Issue #10959: test mapping of a file by passing 0 for
+        # map length with a large offset doesn't cause a segfault.
+        if not hasattr(os, "stat"):
+            self.skipTest("needs os.stat")
+
+        with open(TESTFN, "wb") as f:
+            f.write(115699 * b'm') # Arbitrary character
+
+        with open(TESTFN, "w+b") as f:
+            self.assertRaises(ValueError, mmap.mmap, f.fileno(), 0,
+                              offset=2147418112)
+
     def test_move(self):
         # make move works everywhere (64-bit format problem earlier)
         f = open(TESTFN, 'wb+')
diff --git a/Misc/NEWS b/Misc/NEWS
index ba9a88d..f6ed01d 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -37,6 +37,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #10955: Fix a potential crash when trying to mmap() a file past its
+  length.  Initial patch by Ross Lagerwall.
+
 - Issue #10898: Allow compiling the posix module when the C library defines
   a symbol named FSTAT.
 
diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c
index bbea208..e47e41c 100644
--- a/Modules/mmapmodule.c
+++ b/Modules/mmapmodule.c
@@ -1085,6 +1085,11 @@ new_mmap_object(PyTypeObject *type, PyObject *args, PyObject *kwdict)
 #  endif
     if (fd != -1 && fstat(fd, &st) == 0 && S_ISREG(st.st_mode)) {
         if (map_size == 0) {
+            if (offset >= st.st_size) {
+                PyErr_SetString(PyExc_ValueError,
+                                "mmap offset is greater than file size");
+                return NULL;
+            }
             map_size = st.st_size - offset;
         } else if ((size_t)offset + (size_t)map_size > st.st_size) {
             PyErr_SetString(PyExc_ValueError,
@@ -1269,6 +1274,12 @@ new_mmap_object(PyTypeObject *type, PyObject *args, PyObject *kwdict)
             else
                 m_obj->size = low;
 #endif
+            if (offset >= m_obj->size) {
+                PyErr_SetString(PyExc_ValueError,
+                                "mmap offset is greater than file size");
+                Py_DECREF(m_obj);
+                return NULL;
+            }
             m_obj->size -= offset;
         } else {
             m_obj->size = map_size;
-- 
cgit v0.12