Issue #27570: Avoid zero-length memcpy() calls with null source pointers

This commit is contained in:
Martin Panter 2016-09-07 11:04:41 +00:00
parent 799520c91e
commit be8da9c990
5 changed files with 40 additions and 15 deletions

View File

@ -38,14 +38,24 @@ typecodes = "ubBhHiIlLfd"
if have_long_long: if have_long_long:
typecodes += 'qQ' typecodes += 'qQ'
class BadConstructorTest(unittest.TestCase): class MiscTest(unittest.TestCase):
def test_constructor(self): def test_bad_constructor(self):
self.assertRaises(TypeError, array.array) self.assertRaises(TypeError, array.array)
self.assertRaises(TypeError, array.array, spam=42) self.assertRaises(TypeError, array.array, spam=42)
self.assertRaises(TypeError, array.array, 'xx') self.assertRaises(TypeError, array.array, 'xx')
self.assertRaises(ValueError, array.array, 'x') self.assertRaises(ValueError, array.array, 'x')
def test_empty(self):
# Exercise code for handling zero-length arrays
a = array.array('B')
a[:] = a
self.assertEqual(len(a), 0)
self.assertEqual(len(a + a), 0)
self.assertEqual(len(a * 3), 0)
a += a
self.assertEqual(len(a), 0)
# Machine format codes. # Machine format codes.
# #

View File

@ -67,6 +67,9 @@ Core and Builtins
Library Library
------- -------
- Issue #27570: Avoid zero-length memcpy() etc calls with null source
pointers in the "ctypes" and "array" modules.
- Issue #22233: Break email header lines *only* on the RFC specified CR and LF - Issue #22233: Break email header lines *only* on the RFC specified CR and LF
characters, not on arbitrary unicode line breaks. This also fixes a bug in characters, not on arbitrary unicode line breaks. This also fixes a bug in
HTTP header parsing. HTTP header parsing.

View File

@ -1381,8 +1381,10 @@ PyCArrayType_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
goto error; goto error;
} }
stgdict->shape[0] = length; stgdict->shape[0] = length;
memmove(&stgdict->shape[1], itemdict->shape, if (stgdict->ndim > 1) {
sizeof(Py_ssize_t) * (stgdict->ndim - 1)); memmove(&stgdict->shape[1], itemdict->shape,
sizeof(Py_ssize_t) * (stgdict->ndim - 1));
}
itemsize = itemdict->size; itemsize = itemdict->size;
if (length * itemsize < 0) { if (length * itemsize < 0) {

View File

@ -391,9 +391,11 @@ PyCStructUnionType_update_stgdict(PyObject *type, PyObject *fields, int isStruct
} }
memset(stgdict->ffi_type_pointer.elements, 0, memset(stgdict->ffi_type_pointer.elements, 0,
sizeof(ffi_type *) * (basedict->length + len + 1)); sizeof(ffi_type *) * (basedict->length + len + 1));
memcpy(stgdict->ffi_type_pointer.elements, if (basedict->length > 0) {
basedict->ffi_type_pointer.elements, memcpy(stgdict->ffi_type_pointer.elements,
sizeof(ffi_type *) * (basedict->length)); basedict->ffi_type_pointer.elements,
sizeof(ffi_type *) * (basedict->length));
}
ffi_ofs = basedict->length; ffi_ofs = basedict->length;
} else { } else {
offset = 0; offset = 0;

View File

@ -745,8 +745,10 @@ array_slice(arrayobject *a, Py_ssize_t ilow, Py_ssize_t ihigh)
np = (arrayobject *) newarrayobject(&Arraytype, ihigh - ilow, a->ob_descr); np = (arrayobject *) newarrayobject(&Arraytype, ihigh - ilow, a->ob_descr);
if (np == NULL) if (np == NULL)
return NULL; return NULL;
memcpy(np->ob_item, a->ob_item + ilow * a->ob_descr->itemsize, if (ihigh > ilow) {
(ihigh-ilow) * a->ob_descr->itemsize); memcpy(np->ob_item, a->ob_item + ilow * a->ob_descr->itemsize,
(ihigh-ilow) * a->ob_descr->itemsize);
}
return (PyObject *)np; return (PyObject *)np;
} }
@ -804,9 +806,13 @@ array_concat(arrayobject *a, PyObject *bb)
if (np == NULL) { if (np == NULL) {
return NULL; return NULL;
} }
memcpy(np->ob_item, a->ob_item, Py_SIZE(a)*a->ob_descr->itemsize); if (Py_SIZE(a) > 0) {
memcpy(np->ob_item + Py_SIZE(a)*a->ob_descr->itemsize, memcpy(np->ob_item, a->ob_item, Py_SIZE(a)*a->ob_descr->itemsize);
b->ob_item, Py_SIZE(b)*b->ob_descr->itemsize); }
if (Py_SIZE(b) > 0) {
memcpy(np->ob_item + Py_SIZE(a)*a->ob_descr->itemsize,
b->ob_item, Py_SIZE(b)*b->ob_descr->itemsize);
}
return (PyObject *)np; return (PyObject *)np;
#undef b #undef b
} }
@ -826,7 +832,7 @@ array_repeat(arrayobject *a, Py_ssize_t n)
np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr); np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);
if (np == NULL) if (np == NULL)
return NULL; return NULL;
if (n == 0) if (size == 0)
return (PyObject *)np; return (PyObject *)np;
oldbytes = Py_SIZE(a) * a->ob_descr->itemsize; oldbytes = Py_SIZE(a) * a->ob_descr->itemsize;
newbytes = oldbytes * n; newbytes = oldbytes * n;
@ -985,8 +991,10 @@ array_do_extend(arrayobject *self, PyObject *bb)
size = oldsize + Py_SIZE(b); size = oldsize + Py_SIZE(b);
if (array_resize(self, size) == -1) if (array_resize(self, size) == -1)
return -1; return -1;
memcpy(self->ob_item + oldsize * self->ob_descr->itemsize, if (bbsize > 0) {
b->ob_item, bbsize * b->ob_descr->itemsize); memcpy(self->ob_item + oldsize * self->ob_descr->itemsize,
b->ob_item, bbsize * b->ob_descr->itemsize);
}
return 0; return 0;
#undef b #undef b