[Python-checkins] cpython (3.4): Issue #23985: Fix a possible buffer overrun when deleting a slice from the

[antoine.pitrou]

https://hg.python.org/cpython/rev/98c1201d8eea
changeset:   96159:98c1201d8eea
branch:      3.4
parent:      96157:cf52756f19b6
user:        Antoine Pitrou <solipsis at pitrou.net>
date:        Tue May 19 20:52:27 2015 +0200
summary:
  Issue #23985: Fix a possible buffer overrun when deleting a slice from the front of a bytearray and then appending some other bytes data.

Patch by Martin Panter.

files:
  Lib/test/test_bytes.py    |  16 ++++++++++++++++
  Misc/NEWS                 |   3 +++
  Objects/bytearrayobject.c |   8 ++------
  3 files changed, 21 insertions(+), 6 deletions(-)


diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py
--- a/Lib/test/test_bytes.py
+++ b/Lib/test/test_bytes.py
@@ -947,6 +947,22 @@
         b.extend(range(100, 110))
         self.assertEqual(list(b), list(range(10, 110)))
 
+    def test_fifo_overrun(self):
+        # Test for issue #23985, a buffer overrun when implementing a FIFO
+        # Build Python in pydebug mode for best results.
+        b = bytearray(10)
+        b.pop()        # Defeat expanding buffer off-by-one quirk
+        del b[:1]      # Advance start pointer without reallocating
+        b += bytes(2)  # Append exactly the number of deleted bytes
+        del b          # Free memory buffer, allowing pydebug verification
+
+    def test_del_expand(self):
+        # Reducing the size should not expand the buffer (issue #23985)
+        b = bytearray(10)
+        size = sys.getsizeof(b)
+        del b[:1]
+        self.assertLessEqual(sys.getsizeof(b), size)
+
     def test_extended_set_del_slice(self):
         indices = (0, None, 1, 3, 19, 300, 1<<333, -1, -2, -31, -300)
         for start in indices:
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@
 Core and Builtins
 -----------------
 
+- Issue #23985: Fix a possible buffer overrun when deleting a slice from
+  the front of a bytearray and then appending some other bytes data.
+
 - Issue #24102: Fixed exception type checking in standard error handlers.
 
 - Issue #20274: Remove ignored and erroneous "kwargs" parameters from three
diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -179,7 +179,7 @@
         return -1;
     }
 
-    if (size + logical_offset + 1 < alloc) {
+    if (size + logical_offset + 1 <= alloc) {
         /* Current buffer is large enough to host the requested size,
            decide on a strategy. */
         if (size < alloc / 2) {
@@ -298,11 +298,7 @@
         PyBuffer_Release(&vo);
         return PyErr_NoMemory();
     }
-    if (size < self->ob_alloc) {
-        Py_SIZE(self) = size;
-        PyByteArray_AS_STRING(self)[Py_SIZE(self)] = '\0'; /* Trailing null byte */
-    }
-    else if (PyByteArray_Resize((PyObject *)self, size) < 0) {
+    if (PyByteArray_Resize((PyObject *)self, size) < 0) {
         PyBuffer_Release(&vo);
         return NULL;
     }

-- 
Repository URL: https://hg.python.org/cpython