From 594e54c765c5d53b14547f30ee59018514d44698 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Fri, 4 Sep 2015 01:08:03 +0300 Subject: Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is set beyond size. Based on patch by John Leitch. --- Lib/test/test_memoryio.py | 13 +++++++++++++ Misc/NEWS | 3 +++ Modules/_io/bytesio.c | 6 +++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_memoryio.py b/Lib/test/test_memoryio.py index df4ff7a..44d66c3 100644 --- a/Lib/test/test_memoryio.py +++ b/Lib/test/test_memoryio.py @@ -166,6 +166,10 @@ class MemoryTestMixin: memio.seek(0) self.assertEqual(memio.read(None), buf) self.assertRaises(TypeError, memio.read, '') + memio.seek(len(buf) + 1) + self.assertEqual(memio.read(1), self.EOF) + memio.seek(len(buf) + 1) + self.assertEqual(memio.read(), self.EOF) memio.close() self.assertRaises(ValueError, memio.read) @@ -185,6 +189,9 @@ class MemoryTestMixin: self.assertEqual(memio.readline(-1), buf) memio.seek(0) self.assertEqual(memio.readline(0), self.EOF) + # Issue #24989: Buffer overread + memio.seek(len(buf) * 2 + 1) + self.assertEqual(memio.readline(), self.EOF) buf = self.buftype("1234567890\n") memio = self.ioclass((buf * 3)[:-1]) @@ -217,6 +224,9 @@ class MemoryTestMixin: memio.seek(0) self.assertEqual(memio.readlines(None), [buf] * 10) self.assertRaises(TypeError, memio.readlines, '') + # Issue #24989: Buffer overread + memio.seek(len(buf) * 10 + 1) + self.assertEqual(memio.readlines(), []) memio.close() self.assertRaises(ValueError, memio.readlines) @@ -238,6 +248,9 @@ class MemoryTestMixin: self.assertEqual(line, buf) i += 1 self.assertEqual(i, 10) + # Issue #24989: Buffer overread + memio.seek(len(buf) * 10 + 1) + self.assertEqual(list(memio), []) memio = self.ioclass(buf * 2) memio.close() self.assertRaises(ValueError, memio.__next__) diff --git a/Misc/NEWS b/Misc/NEWS index d1a1459..e9bb7c2 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -92,6 +92,9 @@ Core and Builtins Library ------- +- Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is + set beyond size. Based on patch by John Leitch. + - Issue #24847: Removes vcruntime140.dll dependency from Tcl/Tk. - Issue #24839: platform._syscmd_ver raises DeprecationWarning diff --git a/Modules/_io/bytesio.c b/Modules/_io/bytesio.c index d46430d..31cc1f7 100644 --- a/Modules/_io/bytesio.c +++ b/Modules/_io/bytesio.c @@ -57,14 +57,18 @@ scan_eol(bytesio *self, Py_ssize_t len) Py_ssize_t maxlen; assert(self->buf != NULL); + assert(self->pos >= 0); + + if (self->pos >= self->string_size) + return 0; /* Move to the end of the line, up to the end of the string, s. */ - start = PyBytes_AS_STRING(self->buf) + self->pos; maxlen = self->string_size - self->pos; if (len < 0 || len > maxlen) len = maxlen; if (len) { + start = PyBytes_AS_STRING(self->buf) + self->pos; n = memchr(start, '\n', len); if (n) /* Get the length from the current position to the end of -- cgit v0.12