merge 3.4 (closes #27758)

2016-08-13 17:21:54 -07:00 · 2016-08-13 17:21:54 -07:00 · 9745ee0b44
parent 689016fc00 59b6abd38c
commit 9745ee0b44
2 changed files with 22 additions and 4 deletions
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -37,6 +37,9 @@ Library
 - Issue #26750: unittest.mock.create_autospec() now works properly for
  subclasses of property() and other data descriptors.

+- Issue #27758: Fix possible integer overflow in the _csv module for large record
+  lengths.
+
 - Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
  that the script is in CGI mode.
--- a/Modules/_csv.c
+++ b/Modules/_csv.c
@ -1014,11 +1014,19 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data,
    int i;
    Py_ssize_t rec_len;

-#define ADDCH(c) \
+#define INCLEN \
+    do {\
+        if (!copy_phase && rec_len == PY_SSIZE_T_MAX) {    \
+            goto overflow; \
+        } \
+        rec_len++; \
+    } while(0)
+
+#define ADDCH(c)                                \
    do {\
        if (copy_phase) \
            self->rec[rec_len] = c;\
-        rec_len++;\
+        INCLEN;\
    } while(0)

    rec_len = self->rec_len;
@ -1072,11 +1080,18 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data,
    if (*quoted) {
        if (copy_phase)
            ADDCH(dialect->quotechar);
-        else
-            rec_len += 2;
+        else {
+            INCLEN; /* starting quote */
+            INCLEN; /* ending quote */
+        }
    }
    return rec_len;
+
+  overflow:
+    PyErr_NoMemory();
+    return -1;
 #undef ADDCH
+#undef INCLEN
 }

 static int