Issue #19687: Fixed possible integer overflows in ElementTree.

Based on patch by Christian Heimes.
2015-11-25 20:12:58 +02:00 · 2015-11-25 20:12:58 +02:00 · c4c64be1b8
parent ee1b24ccaa
commit c4c64be1b8
1 changed files with 23 additions and 6 deletions
--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@ -337,9 +337,9 @@ element_new(PyObject* tag, PyObject* attrib)
 }
 LOCAL(int)
-element_resize(ElementObject* self, int extra)
+element_resize(ElementObject* self, Py_ssize_t extra)
 {
-    int size;
+    Py_ssize_t size;
    PyObject* *children;
    /* make sure self->children can hold the given number of extra
@ -359,6 +359,13 @@ element_resize(ElementObject* self, int extra)
         * be safe.
         */
        size = size ? size : 1;
        if ((size_t)size > PY_SSIZE_T_MAX/sizeof(PyObject*))
            goto nomemory;
        if (size > INT_MAX) {
            PyErr_SetString(PyExc_OverflowError,
                            "too many children");
            return -1;
        }
        if (self->extra->children != self->extra->_children) {
            /* Coverity CID #182 size_error: Allocating 1 bytes to pointer
             * "children", which needs at least 4 bytes. Although it's a 
@ -1256,15 +1263,16 @@ static int
 element_setitem(PyObject* self_, Py_ssize_t index, PyObject* item)
 {
    ElementObject* self = (ElementObject*) self_;
-    int i;
+    int i, index;
    PyObject* old;
-    if (!self->extra || index < 0 || index >= self->extra->length) {
+    if (!self->extra || index_ < 0 || index_ >= self->extra->length) {
        PyErr_SetString(
            PyExc_IndexError,
            "child assignment index out of range");
        return -1;
    }
    index = (int)index_;
    old = self->extra->children[index];
@ -1373,6 +1381,7 @@ element_ass_subscr(PyObject* self_, PyObject* item, PyObject* value)
                &start, &stop, &step, &slicelen) < 0) {
            return -1;
        }
        assert(slicelen <= self->extra->length);
        if (value == NULL)
            newlen = 0;
@ -1413,6 +1422,8 @@ element_ass_subscr(PyObject* self_, PyObject* item, PyObject* value)
                return -1;
            }
        }
        assert(newlen - slicelen <= INT_MAX - self->extra->length);
        assert(newlen - slicelen >= -self->extra->length);
        if (slicelen > 0) {
            /* to avoid recursive calls to this method (via decref), move
@ -1446,7 +1457,7 @@ element_ass_subscr(PyObject* self_, PyObject* item, PyObject* value)
            self->extra->children[cur] = element;
        }
-        self->extra->length += newlen - slicelen;
+        self->extra->length += (int)(newlen - slicelen);
        Py_XDECREF(seq);
@ -2704,8 +2715,14 @@ xmlparser_parse(XMLParserObject* self, PyObject* args)
            break;
        }
        if (PyString_GET_SIZE(buffer) > INT_MAX) {
            Py_DECREF(buffer);
            Py_DECREF(reader);
            PyErr_SetString(PyExc_OverflowError, "size does not fit in an int");
            return NULL;
        }
        res = expat_parse(
-            self, PyString_AS_STRING(buffer), PyString_GET_SIZE(buffer), 0
+            self, PyString_AS_STRING(buffer), (int)PyString_GET_SIZE(buffer), 0
            );
        Py_DECREF(buffer);