From 37a79a12d1a9c337e0a8f7a12f11600c44be824f Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Tue, 28 May 2013 16:24:45 +0300 Subject: Issue #18025: Fixed a segfault in io.BufferedIOBase.readinto() when raw stream's read() returns more bytes than requested. --- Lib/test/test_io.py | 9 +++++++++ Misc/NEWS | 3 +++ Modules/_io/bufferedio.c | 8 ++++++++ 3 files changed, 20 insertions(+) diff --git a/Lib/test/test_io.py b/Lib/test/test_io.py index 6efd010..9b89202 100644 --- a/Lib/test/test_io.py +++ b/Lib/test/test_io.py @@ -3019,6 +3019,15 @@ class MiscIOTest(unittest.TestCase): class CMiscIOTest(MiscIOTest): io = io + def test_readinto_buffer_overflow(self): + # Issue #18025 + class BadReader(self.io.BufferedIOBase): + def read(self, n=-1): + return b'x' * 10**6 + bufio = BadReader() + b = bytearray(2) + self.assertRaises(ValueError, bufio.readinto, b) + class PyMiscIOTest(MiscIOTest): io = pyio diff --git a/Misc/NEWS b/Misc/NEWS index 41bc856..cb1a33a 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -24,6 +24,9 @@ Core and Builtins Library ------- +- Issue #18025: Fixed a segfault in io.BufferedIOBase.readinto() when raw + stream's read() returns more bytes than requested. + - Issue #18011: base64.b32decode() now raises a binascii.Error if there are non-alphabet characters present in the input string to conform a docstring. Updated the module documentation. diff --git a/Modules/_io/bufferedio.c b/Modules/_io/bufferedio.c index 2b39f66..7f180a4 100644 --- a/Modules/_io/bufferedio.c +++ b/Modules/_io/bufferedio.c @@ -69,6 +69,14 @@ bufferediobase_readinto(PyObject *self, PyObject *args) } len = Py_SIZE(data); + if (len > buf.len) { + PyErr_Format(PyExc_ValueError, + "read() returned too much data: " + "%zd bytes requested, %zd returned", + buf.len, len); + Py_DECREF(data); + goto error; + } memcpy(buf.buf, PyBytes_AS_STRING(data), len); PyBuffer_Release(&buf); -- cgit v0.12