[Python-checkins] cpython (merge 3.5 -> default): Issue #27473: Fixed possible integer overflow in bytes and bytearray

Sun Jul 10 14:35:13 EDT 2016

https://hg.python.org/cpython/rev/de8f0e9196d8
changeset: 102309:de8f0e9196d8
parent: 102299:31cdf23da19d
parent: 102308:dac248056b20
user: Serhiy Storchaka <storchaka at gmail.com>
date: Sun Jul 10 20:51:35 2016 +0300
summary:
 Issue #27473: Fixed possible integer overflow in bytes and bytearray
concatenations. Patch by Xiang Zhang.
files:
 Misc/NEWS | 3 +++
 Objects/bytearrayobject.c | 21 +++++++++------------
 Objects/bytesobject.c | 6 ++----
 3 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@
 Core and Builtins
 -----------------
 
+- Issue #27473: Fixed possible integer overflow in bytes and bytearray
+ concatenations. Patch by Xiang Zhang.
+
 - Issue #23034: The output of a special Python build with defined COUNT_ALLOCS,
 SHOW_ALLOC_COUNT or SHOW_TRACK_COUNT macros is now off by default. It can
 be re-enabled using the "-X showalloccount" option. It now outputs to stderr
diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -246,7 +246,6 @@
 PyObject *
 PyByteArray_Concat(PyObject *a, PyObject *b)
 {
- Py_ssize_t size;
 Py_buffer va, vb;
 PyByteArrayObject *result = NULL;
 
@@ -259,13 +258,13 @@
 goto done;
 }
 
- size = va.len + vb.len;
- if (size < 0) {
- PyErr_NoMemory();
- goto done;
+ if (va.len > PY_SSIZE_T_MAX - vb.len) {
+ PyErr_NoMemory();
+ goto done;
 }
 
- result = (PyByteArrayObject *) PyByteArray_FromStringAndSize(NULL, size);
+ result = (PyByteArrayObject *) \
+ PyByteArray_FromStringAndSize(NULL, va.len + vb.len);
 if (result != NULL) {
 memcpy(result->ob_bytes, va.buf, va.len);
 memcpy(result->ob_bytes + va.len, vb.buf, vb.len);
@@ -290,7 +289,6 @@
 static PyObject *
 bytearray_iconcat(PyByteArrayObject *self, PyObject *other)
 {
- Py_ssize_t mysize;
 Py_ssize_t size;
 Py_buffer vo;
 
@@ -300,17 +298,16 @@
 return NULL;
 }
 
- mysize = Py_SIZE(self);
- size = mysize + vo.len;
- if (size < 0) {
+ size = Py_SIZE(self);
+ if (size > PY_SSIZE_T_MAX - vo.len) {
 PyBuffer_Release(&vo);
 return PyErr_NoMemory();
 }
- if (PyByteArray_Resize((PyObject *)self, size) < 0) {
+ if (PyByteArray_Resize((PyObject *)self, size + vo.len) < 0) {
 PyBuffer_Release(&vo);
 return NULL;
 }
- memcpy(PyByteArray_AS_STRING(self) + mysize, vo.buf, vo.len);
+ memcpy(PyByteArray_AS_STRING(self) + size, vo.buf, vo.len);
 PyBuffer_Release(&vo);
 Py_INCREF(self);
 return (PyObject *)self;
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -1388,7 +1388,6 @@
 static PyObject *
 bytes_concat(PyObject *a, PyObject *b)
 {
- Py_ssize_t size;
 Py_buffer va, vb;
 PyObject *result = NULL;
 
@@ -1413,13 +1412,12 @@
 goto done;
 }
 
- size = va.len + vb.len;
- if (size < 0) {
+ if (va.len > PY_SSIZE_T_MAX - vb.len) {
 PyErr_NoMemory();
 goto done;
 }
 
- result = PyBytes_FromStringAndSize(NULL, size);
+ result = PyBytes_FromStringAndSize(NULL, va.len + vb.len);
 if (result != NULL) {
 memcpy(PyBytes_AS_STRING(result), va.buf, va.len);
 memcpy(PyBytes_AS_STRING(result) + va.len, vb.buf, vb.len);
-- 
Repository URL: https://hg.python.org/cpython
