diff --git a/Misc/NEWS b/Misc/NEWS index e9a8f28f2ca..c3235dee540 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -29,6 +29,9 @@ Core and Builtins Library ------- +- Issue #27758: Fix possible integer overflow in the _csv module for large record + lengths. + - Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. diff --git a/Modules/_csv.c b/Modules/_csv.c index f5f6e716864..dcb671e40a8 100644 --- a/Modules/_csv.c +++ b/Modules/_csv.c @@ -1002,11 +1002,19 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data, int i; Py_ssize_t rec_len; -#define ADDCH(c) \ +#define INCLEN \ + do {\ + if (!copy_phase && rec_len == PY_SSIZE_T_MAX) { \ + goto overflow; \ + } \ + rec_len++; \ + } while(0) + +#define ADDCH(c) \ do {\ if (copy_phase) \ self->rec[rec_len] = c;\ - rec_len++;\ + INCLEN;\ } while(0) rec_len = self->rec_len; @@ -1072,11 +1080,18 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data, if (*quoted) { if (copy_phase) ADDCH(dialect->quotechar); - else - rec_len += 2; + else { + INCLEN; /* starting quote */ + INCLEN; /* ending quote */ + } } return rec_len; + + overflow: + PyErr_NoMemory(); + return -1; #undef ADDCH +#undef INCLEN } static int