[Python-checkins] cpython (2.7): ensure internal buffer is large enough for string after flushing (closes #24481)

Sat Jun 27 21:52:36 CEST 2015

https://hg.python.org/cpython/rev/4f48b1e982ca
changeset: 96692:4f48b1e982ca
branch: 2.7
parent: 96682:10eea15880db
user: Benjamin Peterson <benjamin at python.org>
date: Sat Jun 27 14:52:41 2015 -0500
summary:
 ensure internal buffer is large enough for string after flushing (closes #24481)
files:
 Lib/test/test_hotshot.py | 4 ++++
 Misc/NEWS | 3 +++
 Modules/_hotshot.c | 4 ++++
 3 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/Lib/test/test_hotshot.py b/Lib/test/test_hotshot.py
--- a/Lib/test/test_hotshot.py
+++ b/Lib/test/test_hotshot.py
@@ -149,6 +149,10 @@
 stats.load(self.logfn)
 os.unlink(self.logfn)
 
+ def test_large_info(self):
+ p = self.new_profiler()
+ self.assertRaises(ValueError, p.addinfo, "A", "A" * 0xfceb)
+
 
 def test_main():
 test_support.run_unittest(HotShotTestCase)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -30,6 +30,9 @@
 Library
 -------
 
+- Issue #24481: Fix possible memory corruption with large profiler info strings
+ in hotshot.
+
 - Issue #24489: ensure a previously set C errno doesn't disturb cmath.polar().
 
 - Issue #19543: io.TextIOWrapper (and hence io.open()) now uses the internal
diff --git a/Modules/_hotshot.c b/Modules/_hotshot.c
--- a/Modules/_hotshot.c
+++ b/Modules/_hotshot.c
@@ -626,6 +626,10 @@
 if (len + PISIZE + self->index >= BUFFERSIZE) {
 if (flush_data(self) < 0)
 return -1;
+ if (len + PISIZE + self->index >= BUFFERSIZE) {
+ PyErr_SetString(PyExc_ValueError, "string too large for internal buffer");
+ return -1;
+ }
 }
 assert(len < INT_MAX);
 if (pack_packed_int(self, (int)len) < 0)
-- 
Repository URL: https://hg.python.org/cpython
