Issue #27473: Fixed possible integer overflow in bytes and bytearray

concatenations. Patch by Xiang Zhang.
2016-07-10 20:48:43 +03:00 · 2016-07-10 20:48:43 +03:00 · 06cfb0cd70
parent 537ad7ad9f
commit 06cfb0cd70
3 changed files with 14 additions and 16 deletions
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -10,6 +10,9 @@ Release date: TBA
 Core and Builtins
 -----------------

+- Issue #27473: Fixed possible integer overflow in bytes and bytearray
+  concatenations.  Patch by Xiang Zhang.
+
 - Issue #27443: __length_hint__() of bytearray itearator no longer return
  negative integer for resized bytearray.

--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@ -246,7 +246,6 @@ PyByteArray_Resize(PyObject *self, Py_ssize_t requested_size)
 PyObject *
 PyByteArray_Concat(PyObject *a, PyObject *b)
 {
-    Py_ssize_t size;
    Py_buffer va, vb;
    PyByteArrayObject *result = NULL;

@ -259,13 +258,13 @@ PyByteArray_Concat(PyObject *a, PyObject *b)
            goto done;
    }

-    size = va.len + vb.len;
-    if (size < 0) {
-            PyErr_NoMemory();
-            goto done;
+    if (va.len > PY_SSIZE_T_MAX - vb.len) {
+        PyErr_NoMemory();
+        goto done;
    }

-    result = (PyByteArrayObject *) PyByteArray_FromStringAndSize(NULL, size);
+    result = (PyByteArrayObject *) \
+        PyByteArray_FromStringAndSize(NULL, va.len + vb.len);
    if (result != NULL) {
        memcpy(result->ob_bytes, va.buf, va.len);
        memcpy(result->ob_bytes + va.len, vb.buf, vb.len);
@ -315,7 +314,6 @@ bytearray_length(PyByteArrayObject *self)
 static PyObject *
 bytearray_iconcat(PyByteArrayObject *self, PyObject *other)
 {
-    Py_ssize_t mysize;
    Py_ssize_t size;
    Py_buffer vo;

@ -325,17 +323,16 @@ bytearray_iconcat(PyByteArrayObject *self, PyObject *other)
        return NULL;
    }

-    mysize = Py_SIZE(self);
-    size = mysize + vo.len;
-    if (size < 0) {
+    size = Py_SIZE(self);
+    if (size > PY_SSIZE_T_MAX - vo.len) {
        PyBuffer_Release(&vo);
        return PyErr_NoMemory();
    }
-    if (PyByteArray_Resize((PyObject *)self, size) < 0) {
+    if (PyByteArray_Resize((PyObject *)self, size + vo.len) < 0) {
        PyBuffer_Release(&vo);
        return NULL;
    }
-    memcpy(PyByteArray_AS_STRING(self) + mysize, vo.buf, vo.len);
+    memcpy(PyByteArray_AS_STRING(self) + size, vo.buf, vo.len);
    PyBuffer_Release(&vo);
    Py_INCREF(self);
    return (PyObject *)self;
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@ -1265,7 +1265,6 @@ bytes_length(PyBytesObject *a)
 static PyObject *
 bytes_concat(PyObject *a, PyObject *b)
 {
-    Py_ssize_t size;
    Py_buffer va, vb;
    PyObject *result = NULL;

@ -1290,13 +1289,12 @@ bytes_concat(PyObject *a, PyObject *b)
        goto done;
    }

-    size = va.len + vb.len;
-    if (size < 0) {
+    if (va.len > PY_SSIZE_T_MAX - vb.len) {
        PyErr_NoMemory();
        goto done;
    }

-    result = PyBytes_FromStringAndSize(NULL, size);
+    result = PyBytes_FromStringAndSize(NULL, va.len + vb.len);
    if (result != NULL) {
        memcpy(PyBytes_AS_STRING(result), va.buf, va.len);
        memcpy(PyBytes_AS_STRING(result) + va.len, vb.buf, vb.len);