From 16caab00a259c1a01f8e47abdd321c42b1b6e554 Mon Sep 17 00:00:00 2001 From: Hirokazu Yamamoto Date: Tue, 31 Mar 2009 13:44:06 +0000 Subject: Merged revisions 70800 via svnmerge from svn+ssh://pythondev@svn.python.org/python/trunk ........ r70800 | hirokazu.yamamoto | 2009-03-31 22:13:05 +0900 | 1 line Issue #5387: Fixed mmap.move crash by integer overflow. ........ --- Lib/test/test_mmap.py | 17 +++++++++++++++++ Misc/NEWS | 2 ++ Modules/mmapmodule.c | 6 ++---- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/Lib/test/test_mmap.py b/Lib/test/test_mmap.py index 7e0599a..2e03673 100644 --- a/Lib/test/test_mmap.py +++ b/Lib/test/test_mmap.py @@ -335,6 +335,23 @@ class MmapTests(unittest.TestCase): mf.close() f.close() + # more excessive test + data = b"0123456789" + for dest in range(len(data)): + for src in range(len(data)): + for count in range(len(data) - max(dest, src)): + expected = data[:dest] + data[src:src+count] + data[dest+count:] + m = mmap.mmap(-1, len(data)) + m[:] = data + m.move(dest, src, count) + self.assertEqual(m[:], expected) + m.close() + + # should not crash + m = mmap.mmap(-1, 1) + self.assertRaises(ValueError, m.move, 1, 1, -1) + m.close() + def test_anonymous(self): # anonymous mmap.mmap(-1, PAGE) m = mmap.mmap(-1, PAGESIZE) diff --git a/Misc/NEWS b/Misc/NEWS index 911e944..d78220e 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -53,6 +53,8 @@ Core and Builtins Library ------- +- Issue #5387: Fixed mmap.move crash by integer overflow. + - Issue #5261: Patch multiprocessing's semaphore.c to support context manager use: "with multiprocessing.Lock()" works now. diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c index 45da96f..d903eca 100644 --- a/Modules/mmapmodule.c +++ b/Modules/mmapmodule.c @@ -623,10 +623,8 @@ mmap_move_method(mmap_object *self, PyObject *args) return NULL; } else { /* bounds check the values */ - if (/* end of source after end of data?? */ - ((src+count) > self->size) - /* dest will fit? */ - || (dest+count > self->size)) { + unsigned long pos = src > dest ? src : dest; + if (self->size >= pos && count > self->size - pos) { PyErr_SetString(PyExc_ValueError, "source or destination out of range"); return NULL; -- cgit v0.12