Core and Builtins
-----------------
+- Issue #27473: Fixed possible integer overflow in bytes and bytearray
+ concatenations. Patch by Xiang Zhang.
+
- Issue #27443: __length_hint__() of bytearray itearator no longer return
negative integer for resized bytearray.
PyObject *
PyByteArray_Concat(PyObject *a, PyObject *b)
{
- Py_ssize_t size;
Py_buffer va, vb;
PyByteArrayObject *result = NULL;
goto done;
}
- size = va.len + vb.len;
- if (size < 0) {
- PyErr_NoMemory();
- goto done;
+ if (va.len > PY_SSIZE_T_MAX - vb.len) {
+ PyErr_NoMemory();
+ goto done;
}
- result = (PyByteArrayObject *) PyByteArray_FromStringAndSize(NULL, size);
+ result = (PyByteArrayObject *) \
+ PyByteArray_FromStringAndSize(NULL, va.len + vb.len);
if (result != NULL) {
memcpy(result->ob_bytes, va.buf, va.len);
memcpy(result->ob_bytes + va.len, vb.buf, vb.len);
static PyObject *
bytearray_iconcat(PyByteArrayObject *self, PyObject *other)
{
- Py_ssize_t mysize;
Py_ssize_t size;
Py_buffer vo;
return NULL;
}
- mysize = Py_SIZE(self);
- size = mysize + vo.len;
- if (size < 0) {
+ size = Py_SIZE(self);
+ if (size > PY_SSIZE_T_MAX - vo.len) {
PyBuffer_Release(&vo);
return PyErr_NoMemory();
}
- if (PyByteArray_Resize((PyObject *)self, size) < 0) {
+ if (PyByteArray_Resize((PyObject *)self, size + vo.len) < 0) {
PyBuffer_Release(&vo);
return NULL;
}
- memcpy(PyByteArray_AS_STRING(self) + mysize, vo.buf, vo.len);
+ memcpy(PyByteArray_AS_STRING(self) + size, vo.buf, vo.len);
PyBuffer_Release(&vo);
Py_INCREF(self);
return (PyObject *)self;
static PyObject *
bytes_concat(PyObject *a, PyObject *b)
{
- Py_ssize_t size;
Py_buffer va, vb;
PyObject *result = NULL;
goto done;
}
- size = va.len + vb.len;
- if (size < 0) {
+ if (va.len > PY_SSIZE_T_MAX - vb.len) {
PyErr_NoMemory();
goto done;
}
- result = PyBytes_FromStringAndSize(NULL, size);
+ result = PyBytes_FromStringAndSize(NULL, va.len + vb.len);
if (result != NULL) {
memcpy(PyBytes_AS_STRING(result), va.buf, va.len);
memcpy(PyBytes_AS_STRING(result) + va.len, vb.buf, vb.len);
projects / python / commitdiff