[Python-checkins] bpo-38540: Fix possible leak in PyArg_Parse for "esGH-" and "etGH-". (GH-16869)

Mon Oct 21 04:56:54 EDT 2019

https://github.com/python/cpython/commit/3dec84f40ef49bab994a1af4e6082bf81021feab
commit: 3dec84f40ef49bab994a1af4e6082bf81021feab
branch: 3.7
author: Miss Skeleton (bot) <31488909+miss-islington at users.noreply.github.com>
committer: GitHub <noreply at github.com>
date: 2019-10-21T01:56:50-07:00
summary:

bpo-38540: Fix possible leak in PyArg_Parse for "esGH-" and "etGH-". (GH-16869)

(cherry picked from commit 5bc6a7c06eda20ba131ecba6752be0506d310181)

Co-authored-by: Serhiy Storchaka <storchaka at gmail.com>

files:
A Misc/NEWS.d/next/C API/2019-10-21-09-24-03.bpo-38540.314N_T.rst
M Python/getargs.c

diff --git a/Misc/NEWS.d/next/C API/2019-10-21-09-24-03.bpo-38540.314N_T.rst b/Misc/NEWS.d/next/C API/2019-10-21-09-24-03.bpo-38540.314N_T.rst
new file mode 100644
index 0000000000000..1d73ad8fe96e6
--- /dev/null
+++ b/Misc/NEWS.d/next/C API/2019-10-21-09-24-03.bpo-38540.314N_T.rst	
@@ -0,0 +1,3 @@
+Fixed possible leak in :c:func:`PyArg_Parse` and similar functions for
+format units ``"es#"`` and ``"et#"`` when the macro
+:c:macro:`PY_SSIZE_T_CLEAN` is not defined.
diff --git a/Python/getargs.c b/Python/getargs.c
index 73e47f84561b8..c3895d1d6c594 100644
--- a/Python/getargs.c
+++ b/Python/getargs.c
@@ -1176,7 +1176,19 @@ convertsimple(PyObject *arg, const char **p_format, va_list *p_va, int flags,
                trailing 0-byte
 
             */
-            FETCH_SIZE;
+            int *q = NULL; Py_ssize_t *q2 = NULL;
+            if (flags & FLAG_SIZE_T) {
+                q2 = va_arg(*p_va, Py_ssize_t*);
+            }
+            else {
+                if (PyErr_WarnEx(PyExc_DeprecationWarning,
+                            "PY_SSIZE_T_CLEAN will be required for '#' formats", 1))
+                {
+                    Py_DECREF(s);
+                    return NULL;
+                }
+                q = va_arg(*p_va, int*);
+            }
 
             format++;
             if (q == NULL && q2 == NULL) {
@@ -1209,7 +1221,19 @@ convertsimple(PyObject *arg, const char **p_format, va_list *p_va, int flags,
                 }
             }
             memcpy(*buffer, ptr, size+1);
-            STORE_SIZE(size);
+
+            if (flags & FLAG_SIZE_T) {
+                *q2 = size;
+            }
+            else {
+                if (INT_MAX < size) {
+                    Py_DECREF(s);
+                    PyErr_SetString(PyExc_OverflowError,
+                                    "size does not fit in an int");
+                    return converterr("", arg, msgbuf, bufsize);
+                }
+                *q = (int)size;
+            }
         } else {
             /* Using a 0-terminated buffer:
 

