[Python-checkins] cpython (merge 3.2 -> 3.3): Merge #14398: Fix size truncation and overflow bugs in bz2 module.

nadeem.vawda python-checkins at python.org
Sun Oct 21 21:22:12 CEST 2012 

http://hg.python.org/cpython/rev/25fdf297c077
changeset:   79879:25fdf297c077
branch:      3.3
parent:      79870:2530acc092d8
parent:      79878:ebb8c7d79f52
user:        Nadeem Vawda <nadeem.vawda at gmail.com>
date:        Sun Oct 21 21:16:58 2012 +0200
summary:
  Merge #14398: Fix size truncation and overflow bugs in bz2 module.

files:
  Misc/NEWS            |   2 +
  Modules/_bz2module.c |  33 +++++++++++++++++++++++--------
  2 files changed, 26 insertions(+), 9 deletions(-)


diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -46,6 +46,8 @@
 Library
 -------
 
+- Issue #14398: Fix size truncation and overflow bugs in the bz2 module.
+
 - Issue #16220: wsgiref now always calls close() on an iterable response.
   Patch by Brent Tubbs.
 
diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
--- a/Modules/_bz2module.c
+++ b/Modules/_bz2module.c
@@ -123,7 +123,14 @@
        giving us amortized linear-time behavior. Use a less-than-double
        growth factor to avoid excessive allocation. */
     size_t size = PyBytes_GET_SIZE(*buf);
-    return _PyBytes_Resize(buf, size + (size >> 3) + 6);
+    size_t new_size = size + (size >> 3) + 6;
+    if (new_size > size) {
+        return _PyBytes_Resize(buf, new_size);
+    } else {  /* overflow */
+        PyErr_SetString(PyExc_OverflowError,
+                        "Unable to allocate buffer - output too large");
+        return -1;
+    }
 }
 
 
@@ -169,10 +176,14 @@
             break;
 
         if (c->bzs.avail_out == 0) {
-            if (grow_buffer(&result) < 0)
-                goto error;
-            c->bzs.next_out = PyBytes_AS_STRING(result) + data_size;
-            c->bzs.avail_out = PyBytes_GET_SIZE(result) - data_size;
+            size_t buffer_left = PyBytes_GET_SIZE(result) - data_size;
+            if (buffer_left == 0) {
+                if (grow_buffer(&result) < 0)
+                    goto error;
+                c->bzs.next_out = PyBytes_AS_STRING(result) + data_size;
+                buffer_left = PyBytes_GET_SIZE(result) - data_size;
+            }
+            c->bzs.avail_out = MIN(buffer_left, UINT_MAX);
         }
     }
     if (data_size != PyBytes_GET_SIZE(result))
@@ -390,10 +401,14 @@
             len -= d->bzs.avail_in;
         }
         if (d->bzs.avail_out == 0) {
-            if (grow_buffer(&result) < 0)
-                goto error;
-            d->bzs.next_out = PyBytes_AS_STRING(result) + data_size;
-            d->bzs.avail_out = PyBytes_GET_SIZE(result) - data_size;
+            size_t buffer_left = PyBytes_GET_SIZE(result) - data_size;
+            if (buffer_left == 0) {
+                if (grow_buffer(&result) < 0)
+                    goto error;
+                d->bzs.next_out = PyBytes_AS_STRING(result) + data_size;
+                buffer_left = PyBytes_GET_SIZE(result) - data_size;
+            }
+            d->bzs.avail_out = MIN(buffer_left, UINT_MAX);
         }
     }
     if (data_size != PyBytes_GET_SIZE(result))

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list