From 8839fd7372a373c0d63d56897c2593fff5738df0 Mon Sep 17 00:00:00 2001 From: Hirokazu Yamamoto Date: Mon, 29 Jun 2009 13:25:16 +0000 Subject: Issue #6344: Fixed a crash of mmap.read() when passed a negative argument. Reviewed by Amaury Forgeot d'Arc. --- Misc/NEWS | 2 ++ Modules/mmapmodule.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index 5ab68bc..d021fd2 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -12,6 +12,8 @@ What's New in Python 2.7 alpha 1 Core and Builtins ----------------- +- Issue #6344: Fixed a crash of mmap.read() when passed a negative argument. + - Issue #4856: Remove checks for win NT. - Issue #2016: Fixed a crash in a corner case where the dictionary of keyword diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c index e1970cb..5e0b3ad 100644 --- a/Modules/mmapmodule.c +++ b/Modules/mmapmodule.c @@ -232,7 +232,7 @@ static PyObject * mmap_read_method(mmap_object *self, PyObject *args) { - Py_ssize_t num_bytes; + Py_ssize_t num_bytes, n; PyObject *result; CHECK_VALID(NULL); @@ -240,8 +240,18 @@ mmap_read_method(mmap_object *self, return(NULL); /* silently 'adjust' out-of-range requests */ - if (num_bytes > self->size - self->pos) { - num_bytes -= (self->pos+num_bytes) - self->size; + assert(self->size >= self->pos); + n = self->size - self->pos; + /* The difference can overflow, only if self->size is greater than + * PY_SSIZE_T_MAX. But then the operation cannot possibly succeed, + * because the mapped area and the returned string each need more + * than half of the addressable memory. So we clip the size, and let + * the code below raise MemoryError. + */ + if (n < 0) + n = PY_SSIZE_T_MAX; + if (num_bytes < 0 || num_bytes > n) { + num_bytes = n; } result = Py_BuildValue("s#", self->data+self->pos, num_bytes); self->pos += num_bytes; -- cgit v0.12