[Python-Dev] [Python-checkins] cpython (merge 3.2 -> default): Fix out of bounds read in long_new() for empty bytes with an explicit base.

Christian Heimes lists at cheimes.de
Wed Sep 12 18:33:35 CEST 2012


Am 12.09.2012 18:14, schrieb Terry Reedy:
> On 9/12/2012 10:22 AM, Stefan Krah wrote:
>> christian.heimes <python-checkins at python.org> wrote:
>>> Fix out of bounds read in long_new() for empty bytes with an explicit
>>> base.
>>> int(b'', somebase) calls PyLong_FromString() with char* of length 1
> 
> I don't know what happens internally, but such calls raise
> ValueError: invalid literal for int() with base 16: ''
> Of course, even if int() traps such calls before calling
> PyLong_FromString, an extension writer could goof.
> 
> Does the length 1 come from added \0?

Coverity (a static code analyzing tool) claims that the some code paths
may read beyond the end of data when an empty byte string and any base
is given. Internally b'' is converted to a null terminated char array
(PyBytes_AS_STRING() returns a null terminated char*).

My change shortcuts the execution path and immediately raises an
exception for the combination of b'' and some base.

> By the way, excessively long lines in checkin messages are a nuisance
> from reading and responding ;-).

Sorry! In the future I'll add more line breaks. :)



More information about the Python-Dev mailing list