SF bug #494738: binascii_b2a_base64 overwrites memory.

binascii_b2a_base64():  We didn't allocate enough buffer space for very
short inputs (e.g., a 1-byte input can produce a 5-byte output, but we
only allocated 2 bytes).  I expect that malloc overheads absorbed the
overrun in practice, but computing a correct upper bound is a very simple
change.

diff --git a/Misc/ACKS b/Misc/ACKS
index 1ebf774382c94d6d263dc7d2c929bc3997295d96..3616e57013d2db41e5814f536b7ddb51fc2f0ec4 100644 (file)
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -92,6 +92,7 @@ Benjamin Collar
 Jeffery Collins
 Matt Conway
 David M. Cooke
+David Costanzo
 Scott Cotton
 Greg Couch
 Steve Cousins

diff --git a/Modules/binascii.c b/Modules/binascii.c
index 643450cf329f28bbdbe45cf7ada15b0b3775fff4..9ef305414f31b6b791c3d6fc24374fb7a1b2f38e 100644 (file)
--- a/Modules/binascii.c
+++ b/Modules/binascii.c
@@ -137,7 +137,7 @@ static char table_a2b_base64[] = {
 #define BASE64_PAD '='
 
 /* Max binary chunk size; limited only by available memory */
-#define BASE64_MAXBIN (INT_MAX/2 - sizeof(PyStringObject))
+#define BASE64_MAXBIN (INT_MAX/2 - sizeof(PyStringObject) - 3)
 
 static unsigned char table_b2a_base64[] =
 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
@@ -436,8 +436,10 @@ binascii_b2a_base64(PyObject *self, PyObject *args)
                return NULL;
        }
        
-       /* We're lazy and allocate to much (fixed up later) */
-       if ( (rv=PyString_FromStringAndSize(NULL, bin_len*2)) == NULL )
+       /* We're lazy and allocate too much (fixed up later).
+          "+3" leaves room for up to two pad characters and a trailing
+          newline.  Note that 'b' gets encoded as 'Yg==\n' (1 in, 5 out). */
+       if ( (rv=PyString_FromStringAndSize(NULL, bin_len*2 + 3)) == NULL )
                return NULL;
        ascii_data = (unsigned char *)PyString_AsString(rv);