Skip to content

C
cpython
Kaydet (Commit) 18b7fcc7 authored tarafından Nadeem Vawda's avatar Nadeem Vawda
Dosyalara gözat
Seçenekler

Merge #14398: Fix size truncation and overflow bugs in bz2 module.

üst 55084125 5f8f0d67
Hide whitespace changes
Inline Side-by-side
Showing with 26 additions and 9 deletions
Misc/NEWS
Dosyayı görüntüle @ 18b7fcc7
...@@ -46,6 +46,8 @@ Core and Builtins ...@@ -46,6 +46,8 @@ Core and Builtins
Library Library
------- -------
- Issue #14398: Fix size truncation and overflow bugs in the bz2 module.
- Issue #16220: wsgiref now always calls close() on an iterable response. - Issue #16220: wsgiref now always calls close() on an iterable response.
Patch by Brent Tubbs. Patch by Brent Tubbs.
......
Modules/_bz2module.c
Dosyayı görüntüle @ 18b7fcc7
...@@ -123,7 +123,14 @@ grow_buffer(PyObject **buf) ...@@ -123,7 +123,14 @@ grow_buffer(PyObject **buf)
giving us amortized linear-time behavior. Use a less-than-double giving us amortized linear-time behavior. Use a less-than-double
growth factor to avoid excessive allocation. */ growth factor to avoid excessive allocation. */
size_t size = PyBytes_GET_SIZE(*buf); size_t size = PyBytes_GET_SIZE(*buf);
return _PyBytes_Resize(buf, size + (size >> 3) + 6); size_t new_size = size + (size >> 3) + 6;
if (new_size > size) {
return _PyBytes_Resize(buf, new_size);
} else { /* overflow */
PyErr_SetString(PyExc_OverflowError,
"Unable to allocate buffer - output too large");
return -1;
}
} }
...@@ -169,10 +176,14 @@ compress(BZ2Compressor *c, char *data, size_t len, int action) ...@@ -169,10 +176,14 @@ compress(BZ2Compressor *c, char *data, size_t len, int action)
break; break;
if (c->bzs.avail_out == 0) { if (c->bzs.avail_out == 0) {
if (grow_buffer(&result) < 0) size_t buffer_left = PyBytes_GET_SIZE(result) - data_size;
goto error; if (buffer_left == 0) {
c->bzs.next_out = PyBytes_AS_STRING(result) + data_size; if (grow_buffer(&result) < 0)
c->bzs.avail_out = PyBytes_GET_SIZE(result) - data_size; goto error;
c->bzs.next_out = PyBytes_AS_STRING(result) + data_size;
buffer_left = PyBytes_GET_SIZE(result) - data_size;
}
c->bzs.avail_out = MIN(buffer_left, UINT_MAX);
} }
} }
if (data_size != PyBytes_GET_SIZE(result)) if (data_size != PyBytes_GET_SIZE(result))
...@@ -390,10 +401,14 @@ decompress(BZ2Decompressor *d, char *data, size_t len) ...@@ -390,10 +401,14 @@ decompress(BZ2Decompressor *d, char *data, size_t len)
len -= d->bzs.avail_in; len -= d->bzs.avail_in;
} }
if (d->bzs.avail_out == 0) { if (d->bzs.avail_out == 0) {
if (grow_buffer(&result) < 0) size_t buffer_left = PyBytes_GET_SIZE(result) - data_size;
goto error; if (buffer_left == 0) {
d->bzs.next_out = PyBytes_AS_STRING(result) + data_size; if (grow_buffer(&result) < 0)
d->bzs.avail_out = PyBytes_GET_SIZE(result) - data_size; goto error;
d->bzs.next_out = PyBytes_AS_STRING(result) + data_size;
buffer_left = PyBytes_GET_SIZE(result) - data_size;
}
d->bzs.avail_out = MIN(buffer_left, UINT_MAX);
} }
} }
if (data_size != PyBytes_GET_SIZE(result)) if (data_size != PyBytes_GET_SIZE(result))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment