[Python-checkins] python/dist/src/Objects stringobject.c,2.200,2.201 unicodeobject.c,2.175,2.176

lemburg@users.sourceforge.net lemburg@users.sourceforge.net
Sun, 29 Dec 2002 11:44:09 -0800 

Update of /cvsroot/python/python/dist/src/Objects
In directory sc8-pr-cvs1:/tmp/cvs-serv14562/Objects

Modified Files:
	stringobject.c unicodeobject.c 
Log Message:
Patch for bug #659709: bogus computation of float length

Python 2.2.x backport candidate. (This bug has been around since
Python 1.6.)



Index: stringobject.c
===================================================================
RCS file: /cvsroot/python/python/dist/src/Objects/stringobject.c,v
retrieving revision 2.200
retrieving revision 2.201
diff -C2 -d -r2.200 -r2.201
*** stringobject.c	29 Dec 2002 16:33:11 -0000	2.200
--- stringobject.c	29 Dec 2002 19:44:06 -0000	2.201
***************
*** 3362,3380 ****
  	if (type == 'f' && fabs(x)/1e25 >= 1e25)
  		type = 'g';
! 	PyOS_snprintf(fmt, sizeof(fmt), "%%%s.%d%c",
! 		      (flags&F_ALT) ? "#" : "",
! 		      prec, type);
! 	/* worst case length calc to ensure no buffer overrun:
  	     fmt = %#.<prec>g
  	     buf = '-' + [0-9]*prec + '.' + 'e+' + (longest exp
  	        for any double rep.)
  	     len = 1 + prec + 1 + 2 + 5 = 9 + prec
  	   If prec=0 the effective precision is 1 (the leading digit is
! 	   always given), therefore increase by one to 10+prec. */
! 	if (buflen <= (size_t)10 + (size_t)prec) {
  		PyErr_SetString(PyExc_OverflowError,
  			"formatted float is too long (precision too large?)");
  		return -1;
  	}
  	PyOS_snprintf(buf, buflen, fmt, x);
  	return strlen(buf);
--- 3362,3390 ----
  	if (type == 'f' && fabs(x)/1e25 >= 1e25)
  		type = 'g';
! 	/* Worst case length calc to ensure no buffer overrun:
! 
! 	   'g' formats:
  	     fmt = %#.<prec>g
  	     buf = '-' + [0-9]*prec + '.' + 'e+' + (longest exp
  	        for any double rep.)
  	     len = 1 + prec + 1 + 2 + 5 = 9 + prec
+ 
+ 	   'f' formats:
+ 	     buf = '-' + [0-9]*x + '.' + [0-9]*prec (with x < 50)
+ 	     len = 1 + 50 + 1 + prec = 52 + prec
+ 
  	   If prec=0 the effective precision is 1 (the leading digit is
! 	   always given), therefore increase the length by one. 
! 
! 	*/
! 	if ((type == 'g' && buflen <= (size_t)10 + (size_t)prec) ||
! 	    (type == 'f' && buflen <= (size_t)53 + (size_t)prec)) {
  		PyErr_SetString(PyExc_OverflowError,
  			"formatted float is too long (precision too large?)");
  		return -1;
  	}
+ 	PyOS_snprintf(fmt, sizeof(fmt), "%%%s.%d%c",
+ 		      (flags&F_ALT) ? "#" : "",
+ 		      prec, type);
  	PyOS_snprintf(buf, buflen, fmt, x);
  	return strlen(buf);

Index: unicodeobject.c
===================================================================
RCS file: /cvsroot/python/python/dist/src/Objects/unicodeobject.c,v
retrieving revision 2.175
retrieving revision 2.176
diff -C2 -d -r2.175 -r2.176
*** unicodeobject.c	18 Nov 2002 16:10:18 -0000	2.175
--- unicodeobject.c	29 Dec 2002 19:44:06 -0000	2.176
***************
*** 6000,6017 ****
      if (type == 'f' && (fabs(x) / 1e25) >= 1e25)
  	type = 'g';
!     PyOS_snprintf(fmt, sizeof(fmt), "%%%s.%d%c",
! 		  (flags & F_ALT) ? "#" : "", prec, type);
!     /* worst case length calc to ensure no buffer overrun:
!          fmt = %#.<prec>g
!          buf = '-' + [0-9]*prec + '.' + 'e+' + (longest exp
!             for any double rep.)
!          len = 1 + prec + 1 + 2 + 5 = 9 + prec
         If prec=0 the effective precision is 1 (the leading digit is
!        always given), therefore increase by one to 10+prec. */
!     if (buflen <= (size_t)10 + (size_t)prec) {
  	PyErr_SetString(PyExc_OverflowError,
! 	    "formatted float is too long (precision too long?)");
  	return -1;
      }
      return usprintf(buf, fmt, x);
  }
--- 6000,6028 ----
      if (type == 'f' && (fabs(x) / 1e25) >= 1e25)
  	type = 'g';
!     /* Worst case length calc to ensure no buffer overrun:
! 
!        'g' formats:
! 	 fmt = %#.<prec>g
! 	 buf = '-' + [0-9]*prec + '.' + 'e+' + (longest exp
! 	    for any double rep.)
! 	 len = 1 + prec + 1 + 2 + 5 = 9 + prec
! 
!        'f' formats:
! 	 buf = '-' + [0-9]*x + '.' + [0-9]*prec (with x < 50)
! 	 len = 1 + 50 + 1 + prec = 52 + prec
! 
         If prec=0 the effective precision is 1 (the leading digit is
!        always given), therefore increase the length by one. 
! 
!     */
!     if ((type == 'g' && buflen <= (size_t)10 + (size_t)prec) ||
! 	(type == 'f' && buflen <= (size_t)53 + (size_t)prec)) {
  	PyErr_SetString(PyExc_OverflowError,
! 			"formatted float is too long (precision too large?)");
  	return -1;
      }
+     PyOS_snprintf(fmt, sizeof(fmt), "%%%s.%d%c",
+ 		  (flags&F_ALT) ? "#" : "",
+ 		  prec, type);
      return usprintf(buf, fmt, x);
  }