http://hg.python.org/cpython/rev/8d963c7db507 changeset: 91351:8d963c7db507 branch: 2.7 user: Benjamin Peterson <benjamin@python.org> date: Mon Jun 23 20:12:27 2014 -0700 summary: avoid overflow with large buffer sizes and/or offsets (closes #21831) files: Lib/test/test_buffer.py | 6 ++++++ Misc/NEWS | 3 +++ Objects/bufferobject.c | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/Lib/test/test_buffer.py b/Lib/test/test_buffer.py --- a/Lib/test/test_buffer.py +++ b/Lib/test/test_buffer.py @@ -4,6 +4,7 @@ """ +import sys import unittest from test import test_support @@ -29,6 +30,11 @@ m = memoryview(b) # Should not raise an exception self.assertEqual(m.tobytes(), s) + def test_large_buffer_size_and_offset(self): + data = bytearray('hola mundo') + buf = buffer(data, sys.maxsize, sys.maxsize) + self.assertEqual(buf[:4096], "") + def test_main(): with test_support.check_py3k_warnings(("buffer.. not supported", diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ Core and Builtins ----------------- +- Issue #21831: Avoid integer overflow when large sizes and offsets are given to + the buffer type. + - Issue #1856: Avoid crashes and lockups when daemon threads run while the interpreter is shutting down; instead, these threads are now killed when they try to take the GIL. diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c --- a/Objects/bufferobject.c +++ b/Objects/bufferobject.c @@ -88,7 +88,7 @@ *size = count; else *size = self->b_size; - if (offset + *size > count) + if (*size > count - offset) *size = count - offset; } return 1; @@ -875,4 +875,4 @@ 0, /* tp_init */ 0, /* tp_alloc */ buffer_new, /* tp_new */ -}; \ No newline at end of file +}; -- Repository URL: http://hg.python.org/cpython