[Python-checkins] cpython: Issue #14700: Fix two broken and undefined-behaviour-inducing overflow checks

mark.dickinson python-checkins at python.org
Mon May 7 12:21:09 CEST 2012

• Previous message: [Python-checkins] cpython: Issue #14705: Added support for the new 'p' format unit to skipitem().
• Next message: [Python-checkins] cpython (3.2): Issue #14701: Add missing support for 'raise ... from' in parser module.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

http://hg.python.org/cpython/rev/064c2d0483f8
changeset: 76817:064c2d0483f8
user: Mark Dickinson <mdickinson at enthought.com>
date: Mon May 07 11:20:50 2012 +0100
summary:
 Issue #14700: Fix two broken and undefined-behaviour-inducing overflow checks in old-style string formatting. Thanks Serhiy Storchaka for report and original patch.
files:
 Lib/test/string_tests.py | 4 ++++
 Misc/NEWS | 3 +++
 Objects/unicodeobject.c | 4 ++--
 3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/Lib/test/string_tests.py b/Lib/test/string_tests.py
--- a/Lib/test/string_tests.py
+++ b/Lib/test/string_tests.py
@@ -1197,6 +1197,10 @@
 self.checkraises(TypeError, '%10.*f', '__mod__', ('foo', 42.))
 self.checkraises(ValueError, '%10', '__mod__', (42,))
 
+ # Outrageously large width or precision should raise ValueError.
+ self.checkraises(ValueError, '%%%df' % (2**64), '__mod__', (3.2))
+ self.checkraises(ValueError, '%%.%df' % (2**64), '__mod__', (3.2))
+
 def test_floatformatting(self):
 # float formatting
 for prec in range(100):
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@
 Core and Builtins
 -----------------
 
+- Issue #14700: Fix two broken and undefined-behaviour-inducing overflow checks
+ in old-style string formatting.
+
 - Issue #14705: The PyArg_Parse() family of functions now support the 'p' format
 unit, which accepts a "boolean predicate" argument. It converts any Python
 value into an integer--0 if it is "false", and 1 otherwise.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -13933,7 +13933,7 @@
 c = PyUnicode_READ(fmtkind, fmt, fmtpos++);
 if (c < '0' || c > '9')
 break;
- if ((width*10) / 10 != width) {
+ if (width > (PY_SSIZE_T_MAX - (c - '0')) / 10) {
 PyErr_SetString(PyExc_ValueError,
 "width too big");
 goto onError;
@@ -13968,7 +13968,7 @@
 c = PyUnicode_READ(fmtkind, fmt, fmtpos++);
 if (c < '0' || c > '9')
 break;
- if ((prec*10) / 10 != prec) {
+ if (prec > (INT_MAX - (c - '0')) / 10) {
 PyErr_SetString(PyExc_ValueError,
 "prec too big");
 goto onError;
-- 
Repository URL: http://hg.python.org/cpython

---

• Previous message: [Python-checkins] cpython: Issue #14705: Added support for the new 'p' format unit to skipitem().
• Next message: [Python-checkins] cpython (3.2): Issue #14701: Add missing support for 'raise ... from' in parser module.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list