Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is

set beyond size.  Based on patch by John Leitch.
This commit is contained in:
Serhiy Storchaka 2015-09-04 01:08:03 +03:00
parent 5b6917e60d
commit 594e54c765
3 changed files with 21 additions and 1 deletions

View File

@ -166,6 +166,10 @@ class MemoryTestMixin:
memio.seek(0) memio.seek(0)
self.assertEqual(memio.read(None), buf) self.assertEqual(memio.read(None), buf)
self.assertRaises(TypeError, memio.read, '') self.assertRaises(TypeError, memio.read, '')
memio.seek(len(buf) + 1)
self.assertEqual(memio.read(1), self.EOF)
memio.seek(len(buf) + 1)
self.assertEqual(memio.read(), self.EOF)
memio.close() memio.close()
self.assertRaises(ValueError, memio.read) self.assertRaises(ValueError, memio.read)
@ -185,6 +189,9 @@ class MemoryTestMixin:
self.assertEqual(memio.readline(-1), buf) self.assertEqual(memio.readline(-1), buf)
memio.seek(0) memio.seek(0)
self.assertEqual(memio.readline(0), self.EOF) self.assertEqual(memio.readline(0), self.EOF)
# Issue #24989: Buffer overread
memio.seek(len(buf) * 2 + 1)
self.assertEqual(memio.readline(), self.EOF)
buf = self.buftype("1234567890\n") buf = self.buftype("1234567890\n")
memio = self.ioclass((buf * 3)[:-1]) memio = self.ioclass((buf * 3)[:-1])
@ -217,6 +224,9 @@ class MemoryTestMixin:
memio.seek(0) memio.seek(0)
self.assertEqual(memio.readlines(None), [buf] * 10) self.assertEqual(memio.readlines(None), [buf] * 10)
self.assertRaises(TypeError, memio.readlines, '') self.assertRaises(TypeError, memio.readlines, '')
# Issue #24989: Buffer overread
memio.seek(len(buf) * 10 + 1)
self.assertEqual(memio.readlines(), [])
memio.close() memio.close()
self.assertRaises(ValueError, memio.readlines) self.assertRaises(ValueError, memio.readlines)
@ -238,6 +248,9 @@ class MemoryTestMixin:
self.assertEqual(line, buf) self.assertEqual(line, buf)
i += 1 i += 1
self.assertEqual(i, 10) self.assertEqual(i, 10)
# Issue #24989: Buffer overread
memio.seek(len(buf) * 10 + 1)
self.assertEqual(list(memio), [])
memio = self.ioclass(buf * 2) memio = self.ioclass(buf * 2)
memio.close() memio.close()
self.assertRaises(ValueError, memio.__next__) self.assertRaises(ValueError, memio.__next__)

View File

@ -92,6 +92,9 @@ Core and Builtins
Library Library
------- -------
- Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is
set beyond size. Based on patch by John Leitch.
- Issue #24847: Removes vcruntime140.dll dependency from Tcl/Tk. - Issue #24847: Removes vcruntime140.dll dependency from Tcl/Tk.
- Issue #24839: platform._syscmd_ver raises DeprecationWarning - Issue #24839: platform._syscmd_ver raises DeprecationWarning

View File

@ -57,14 +57,18 @@ scan_eol(bytesio *self, Py_ssize_t len)
Py_ssize_t maxlen; Py_ssize_t maxlen;
assert(self->buf != NULL); assert(self->buf != NULL);
assert(self->pos >= 0);
if (self->pos >= self->string_size)
return 0;
/* Move to the end of the line, up to the end of the string, s. */ /* Move to the end of the line, up to the end of the string, s. */
start = PyBytes_AS_STRING(self->buf) + self->pos;
maxlen = self->string_size - self->pos; maxlen = self->string_size - self->pos;
if (len < 0 || len > maxlen) if (len < 0 || len > maxlen)
len = maxlen; len = maxlen;
if (len) { if (len) {
start = PyBytes_AS_STRING(self->buf) + self->pos;
n = memchr(start, '\n', len); n = memchr(start, '\n', len);
if (n) if (n)
/* Get the length from the current position to the end of /* Get the length from the current position to the end of