From 615461603c3d81a80285299fc3a0dc47d2858864 Mon Sep 17 00:00:00 2001 From: Neal Norwitz Date: Fri, 14 Apr 2006 05:20:28 +0000 Subject: SF Bug #1454485, array.array('u') could crash the interpreter when passing a string. Martin already fixed the actual crash by ensuring Py_UNICODE is unsigned. As discussed on python-dev, this fix removes the possibility of creating a unicode string from a raw buffer. There is an outstanding question of how to fix the crash in 2.4. --- Misc/NEWS | 7 +++++++ Python/getargs.c | 7 ++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index f397739..e75047c 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -12,6 +12,13 @@ What's New in Python 2.5 alpha 2? Core and builtins ----------------- +- Bug #1454485, array.array('u') could crash the interpreter. This was + due to PyArgs_ParseTuple(args, 'u#', ...) trying to convert buffers (strings) + to unicode when it didn't make sense. 'u#' now requires a unicode string. + +- Py_UNICODE is unsigned. It was always documented as unsigned, but + due to a bug had a signed value in previous versions. + - Patch #837242: ``id()`` of any Python object always gives a positive number now, which might be a long integer. ``PyLong_FromVoidPtr`` and ``PyLong_AsVoidPtr`` have been changed accordingly. Note that it has diff --git a/Python/getargs.c b/Python/getargs.c index e6f607a..5908e6b 100644 --- a/Python/getargs.c +++ b/Python/getargs.c @@ -1042,11 +1042,8 @@ convertsimple(PyObject *arg, const char **p_format, va_list *p_va, int flags, STORE_SIZE(PyUnicode_GET_SIZE(arg)); } else { - char *buf; - Py_ssize_t count = convertbuffer(arg, p, &buf); - if (count < 0) - return converterr(buf, arg, msgbuf, bufsize); - STORE_SIZE(count/(sizeof(Py_UNICODE))); + return converterr("cannot convert raw buffers", + arg, msgbuf, bufsize); } format++; } else { -- cgit v0.12