ensure internal buffer is large enough for string after flushing (closes #24481)

1c72acf2 · Benjamin Peterson · 1ecb5ce7 · 1c72acf2 · 1c72acf2 · 1c72acf2
Kaydet (Commit) 1c72acf2 authored Haz 27, 2015 tarafından Benjamin Peterson
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

test_hotshot.py Lib/test/test_hotshot.py +4 -0

NEWS Misc/NEWS +3 -0

_hotshot.c Modules/_hotshot.c +4 -0

No files found.
--- a/Lib/test/test_hotshot.py
+++ b/Lib/test/test_hotshot.py
@@ -149,6 +149,10 @@ class HotShotTestCase(unittest.TestCase):
        stats.load(self.logfn)
        os.unlink(self.logfn)
+    def test_large_info(self):
+        p = self.new_profiler()
+        self.assertRaises(ValueError, p.addinfo, "A", "A" * 0xfceb)
 def test_main():
    test_support.run_unittest(HotShotTestCase)

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -30,6 +30,9 @@ Core and Builtins
 Library
 -------
+- Issue #24481: Fix possible memory corruption with large profiler info strings
+  in hotshot.
 - Issue #24489: ensure a previously set C errno doesn't disturb cmath.polar().
 - Issue #19543: io.TextIOWrapper (and hence io.open()) now uses the internal

--- a/Modules/_hotshot.c
+++ b/Modules/_hotshot.c
@@ -626,6 +626,10 @@ pack_string(ProfilerObject *self, const char *s, Py_ssize_t len)
    if (len + PISIZE + self->index >= BUFFERSIZE) {
        if (flush_data(self) < 0)
            return -1;
+        if (len + PISIZE + self->index >= BUFFERSIZE) {
+            PyErr_SetString(PyExc_ValueError, "string too large for internal buffer");
+            return -1;
+        }
    }
    assert(len < INT_MAX);
    if (pack_packed_int(self, (int)len) < 0)