[Python-checkins] cpython (merge 3.4 -> 3.5): merge 3.4 (closes #27758)
benjamin.peterson
python-checkins at python.org
Sat Aug 13 20:22:37 EDT 2016
https://hg.python.org/cpython/rev/55e8d3e542bd
changeset: 102639:55e8d3e542bd
branch: 3.5
parent: 102633:c1cc1f616285
parent: 102638:10b89df93c58
user: Benjamin Peterson <benjamin at python.org>
date: Sat Aug 13 17:21:54 2016 -0700
summary:
merge 3.4 (closes #27758)
files:
Misc/NEWS | 3 +++
Modules/_csv.c | 23 +++++++++++++++++++----
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -37,6 +37,9 @@
- Issue #26750: unittest.mock.create_autospec() now works properly for
subclasses of property() and other data descriptors.
+- Issue #27758: Fix possible integer overflow in the _csv module for large record
+ lengths.
+
- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
that the script is in CGI mode.
diff --git a/Modules/_csv.c b/Modules/_csv.c
--- a/Modules/_csv.c
+++ b/Modules/_csv.c
@@ -1014,11 +1014,19 @@
int i;
Py_ssize_t rec_len;
-#define ADDCH(c) \
+#define INCLEN \
+ do {\
+ if (!copy_phase && rec_len == PY_SSIZE_T_MAX) { \
+ goto overflow; \
+ } \
+ rec_len++; \
+ } while(0)
+
+#define ADDCH(c) \
do {\
if (copy_phase) \
self->rec[rec_len] = c;\
- rec_len++;\
+ INCLEN;\
} while(0)
rec_len = self->rec_len;
@@ -1072,11 +1080,18 @@
if (*quoted) {
if (copy_phase)
ADDCH(dialect->quotechar);
- else
- rec_len += 2;
+ else {
+ INCLEN; /* starting quote */
+ INCLEN; /* ending quote */
+ }
}
return rec_len;
+
+ overflow:
+ PyErr_NoMemory();
+ return -1;
#undef ADDCH
+#undef INCLEN
}
static int
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list