bpo-30245: Fix possible overflow when organize struct.pack_into error message (#1682)

2017-06-02 14:33:04 +08:00 · 2017-06-02 14:33:04 +08:00 · aead53b6ee
parent cdb89cd72c
commit aead53b6ee
4 changed files with 19 additions and 2 deletions
--- a/Lib/test/test_struct.py
+++ b/Lib/test/test_struct.py
@ -599,6 +599,16 @@ class StructTest(unittest.TestCase):
                'offset -11 out of range for 10-byte buffer'):
            struct.pack_into('<B', byte_list, -11, 123)

+    def test_boundary_error_message_with_large_offset(self):
+        # Test overflows cause by large offset and value size (issue 30245)
+        regex = (
+            r'pack_into requires a buffer of at least ' + str(sys.maxsize + 4) +
+            r' bytes for packing 4 bytes at offset ' + str(sys.maxsize) +
+            r' \(actual buffer size is 10\)'
+        )
+        with self.assertRaisesRegex(struct.error, regex):
+            struct.pack_into('<I', bytearray(10), sys.maxsize, 1)
+
    def test_issue29802(self):
        # When the second argument of struct.unpack() was of wrong type
        # the Struct object was decrefed twice and the reference to
--- a/Misc/ACKS
+++ b/Misc/ACKS
@ -921,6 +921,7 @@ Gregor Lingl
 Everett Lipman
 Mirko Liss
 Alexander Liu
+Yuan Liu
 Nick Lockwood
 Stephanie Lockwood
 Martin von Löwis
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -345,6 +345,9 @@ Extension Modules
 Library
 -------

+- bpo-30245: Fix possible overflow when organize struct.pack_into
+  error message.  Patch by Yuan Liu.
+  
 - bpo-30378: Fix the problem that logging.handlers.SysLogHandler cannot
  handle IPv6 addresses.

--- a/Modules/_struct.c
+++ b/Modules/_struct.c
@ -1929,11 +1929,14 @@ s_pack_into(PyObject *self, PyObject **args, Py_ssize_t nargs, PyObject *kwnames

    /* Check boundaries */
    if ((buffer.len - offset) < soself->s_size) {
+        assert(offset >= 0);
+        assert(soself->s_size >= 0);
+
        PyErr_Format(StructError,
-                     "pack_into requires a buffer of at least %zd bytes for "
+                     "pack_into requires a buffer of at least %zu bytes for "
                     "packing %zd bytes at offset %zd "
                     "(actual buffer size is %zd)",
-                     soself->s_size + offset,
+                     (size_t)soself->s_size + (size_t)offset,
                     soself->s_size,
                     offset,
                     buffer.len);