From 1c72acf24cc8e39be5d9cc1674c66811d9b036c4 Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Sat, 27 Jun 2015 14:52:41 -0500 Subject: ensure internal buffer is large enough for string after flushing (closes #24481) --- Lib/test/test_hotshot.py | 4 ++++ Misc/NEWS | 3 +++ Modules/_hotshot.c | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/Lib/test/test_hotshot.py b/Lib/test/test_hotshot.py index 7da9746..9f4b798 100644 --- a/Lib/test/test_hotshot.py +++ b/Lib/test/test_hotshot.py @@ -149,6 +149,10 @@ class HotShotTestCase(unittest.TestCase): stats.load(self.logfn) os.unlink(self.logfn) + def test_large_info(self): + p = self.new_profiler() + self.assertRaises(ValueError, p.addinfo, "A", "A" * 0xfceb) + def test_main(): test_support.run_unittest(HotShotTestCase) diff --git a/Misc/NEWS b/Misc/NEWS index 3b9b3fa..1496398 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -30,6 +30,9 @@ Core and Builtins Library ------- +- Issue #24481: Fix possible memory corruption with large profiler info strings + in hotshot. + - Issue #24489: ensure a previously set C errno doesn't disturb cmath.polar(). - Issue #19543: io.TextIOWrapper (and hence io.open()) now uses the internal diff --git a/Modules/_hotshot.c b/Modules/_hotshot.c index df8a7f9..9719cb7 100644 --- a/Modules/_hotshot.c +++ b/Modules/_hotshot.c @@ -626,6 +626,10 @@ pack_string(ProfilerObject *self, const char *s, Py_ssize_t len) if (len + PISIZE + self->index >= BUFFERSIZE) { if (flush_data(self) < 0) return -1; + if (len + PISIZE + self->index >= BUFFERSIZE) { + PyErr_SetString(PyExc_ValueError, "string too large for internal buffer"); + return -1; + } } assert(len < INT_MAX); if (pack_packed_int(self, (int)len) < 0) -- cgit v0.12