check for overflow in join_append_data (closes #27758)

Reported by Thomas E. Hybel

check for overflow in join_append_data (closes #27758)
Reported by Thomas E. Hybel
d81ad0df · Benjamin Peterson · 04a53853 · d81ad0df · d81ad0df
Kaydet (Commit) d81ad0df authored Agu 14, 2016 tarafından Benjamin Peterson
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 4 deletions

NEWS Misc/NEWS +3 -0

_csv.c Modules/_csv.c +19 -4

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -29,6 +29,9 @@ Core and Builtins
 Library
 -------
+- Issue #27758: Fix possible integer overflow in the _csv module for large record
+  lengths.
 - Issue #23369: Fixed possible integer overflow in
  _json.encode_basestring_ascii.

--- a/Modules/_csv.c
+++ b/Modules/_csv.c
@@ -985,11 +985,19 @@ join_append_data(WriterObj *self, char *field, int quote_empty,
    int i, rec_len;
    char *lineterm;
-#define ADDCH(c) \
+#define INCLEN \
+    do {\
+        if (!copy_phase && rec_len == INT_MAX) { \
+            goto overflow; \
+        } \
+        rec_len++; \
+    } while(0)
+#define ADDCH(c)                                \
    do {\
        if (copy_phase) \
            self->rec[rec_len] = c;\
-        rec_len++;\
+        INCLEN;\
    } while(0)
    lineterm = PyString_AsString(dialect->lineterminator);
@@ -1059,11 +1067,18 @@ join_append_data(WriterObj *self, char *field, int quote_empty,
    if (*quoted) {
        if (copy_phase)
            ADDCH(dialect->quotechar);
-        else
+        else {
-            rec_len += 2;
+            INCLEN; /* starting quote */
+            INCLEN; /* ending quote */
+        }
    }
    return rec_len;
+  overflow:
+    PyErr_NoMemory();
+    return -1;
 #undef ADDCH
+#undef INCLEN
 }
 static int