Kaydet (Commit) 6e01d90c authored tarafından Benjamin Peterson's avatar Benjamin Peterson

check for overflow in join_append_data (closes #27758)

Reported by Thomas E. Hybel
üst 6f250032
......@@ -29,6 +29,9 @@ Core and Builtins
Library
-------
- Issue #27758: Fix possible integer overflow in the _csv module for large record
lengths.
- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
that the script is in CGI mode.
......
......@@ -1002,11 +1002,19 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data,
int i;
Py_ssize_t rec_len;
#define ADDCH(c) \
#define INCLEN \
do {\
if (!copy_phase && rec_len == PY_SSIZE_T_MAX) { \
goto overflow; \
} \
rec_len++; \
} while(0)
#define ADDCH(c) \
do {\
if (copy_phase) \
self->rec[rec_len] = c;\
rec_len++;\
INCLEN;\
} while(0)
rec_len = self->rec_len;
......@@ -1072,11 +1080,18 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data,
if (*quoted) {
if (copy_phase)
ADDCH(dialect->quotechar);
else
rec_len += 2;
else {
INCLEN; /* starting quote */
INCLEN; /* ending quote */
}
}
return rec_len;
overflow:
PyErr_NoMemory();
return -1;
#undef ADDCH
#undef INCLEN
}
static int
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment