[Python-checkins] python/dist/src/Objects stringobject.c,2.193,2.194 unicodeobject.c,2.171,2.172

gvanrossum@users.sourceforge.net gvanrossum@users.sourceforge.net
Thu, 10 Oct 2002 17:43:50 -0700 

Update of /cvsroot/python/python/dist/src/Objects
In directory usw-pr-cvs1:/tmp/cvs-serv19831

Modified Files:
	stringobject.c unicodeobject.c 
Log Message:
Fix a nasty endcase reported by Armin Rigo in SF bug 618623:
'%2147483647d' % -123 segfaults.  This was because an integer overflow
in a comparison caused the string resize to be skipped.  After fixing
the overflow, this could call _PyString_Resize() with a negative size,
so I (1) test for that and raise MemoryError instead; (2) also added a
test for negative newsize to _PyString_Resize(), raising SystemError
as for all bad arguments.

An identical bug existed in unicodeobject.c, of course.

Will backport to 2.2.2.


Index: stringobject.c
===================================================================
RCS file: /cvsroot/python/python/dist/src/Objects/stringobject.c,v
retrieving revision 2.193
retrieving revision 2.194
diff -C2 -d -r2.193 -r2.194
*** stringobject.c	9 Oct 2002 19:14:30 -0000	2.193
--- stringobject.c	11 Oct 2002 00:43:48 -0000	2.194
***************
*** 3320,3324 ****
  	register PyStringObject *sv;
  	v = *pv;
! 	if (!PyString_Check(v) || v->ob_refcnt != 1) {
  		*pv = 0;
  		Py_DECREF(v);
--- 3320,3324 ----
  	register PyStringObject *sv;
  	v = *pv;
! 	if (!PyString_Check(v) || v->ob_refcnt != 1 || newsize < 0) {
  		*pv = 0;
  		Py_DECREF(v);
***************
*** 3960,3967 ****
  			if (width < len)
  				width = len;
! 			if (rescnt < width + (sign != 0)) {
  				reslen -= rescnt;
  				rescnt = width + fmtcnt + 100;
  				reslen += rescnt;
  				if (_PyString_Resize(&result, reslen) < 0)
  					return NULL;
--- 3960,3971 ----
  			if (width < len)
  				width = len;
! 			if (rescnt - (sign != 0) < width) {
  				reslen -= rescnt;
  				rescnt = width + fmtcnt + 100;
  				reslen += rescnt;
+ 				if (reslen < 0) {
+ 					Py_DECREF(result);
+ 					return PyErr_NoMemory();
+ 				}
  				if (_PyString_Resize(&result, reslen) < 0)
  					return NULL;

Index: unicodeobject.c
===================================================================
RCS file: /cvsroot/python/python/dist/src/Objects/unicodeobject.c,v
retrieving revision 2.171
retrieving revision 2.172
diff -C2 -d -r2.171 -r2.172
*** unicodeobject.c	24 Sep 2002 09:32:14 -0000	2.171
--- unicodeobject.c	11 Oct 2002 00:43:48 -0000	2.172
***************
*** 262,266 ****
      }
      v = (PyUnicodeObject *)*unicode;
!     if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1) {
  	PyErr_BadInternalCall();
  	return -1;
--- 262,266 ----
      }
      v = (PyUnicodeObject *)*unicode;
!     if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1 || length < 0) {
  	PyErr_BadInternalCall();
  	return -1;
***************
*** 6484,6491 ****
  	    if (width < len)
  		width = len;
! 	    if (rescnt < width + (sign != 0)) {
  		reslen -= rescnt;
  		rescnt = width + fmtcnt + 100;
  		reslen += rescnt;
  		if (_PyUnicode_Resize(&result, reslen) < 0)
  		    return NULL;
--- 6484,6495 ----
  	    if (width < len)
  		width = len;
! 	    if (rescnt - (sign != 0) < width) {
  		reslen -= rescnt;
  		rescnt = width + fmtcnt + 100;
  		reslen += rescnt;
+ 		if (reslen < 0) {
+ 		    Py_DECREF(result);
+ 		    return PyErr_NoMemory();
+ 		}
  		if (_PyUnicode_Resize(&result, reslen) < 0)
  		    return NULL;