Merged revisions 77576 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/branches/py3k

................
  r77576 | antoine.pitrou | 2010-01-17 13:38:54 +0100 (dim., 17 janv. 2010) | 12 lines

  Merged revisions 77573 via svnmerge from
  svn+ssh://pythondev@svn.python.org/python/trunk

  ........
    r77573 | antoine.pitrou | 2010-01-17 13:26:20 +0100 (dim., 17 janv. 2010) | 6 lines

    Issue #7561: Operations on empty bytearrays (such as `int(bytearray())`)
    could crash in many places because of the PyByteArray_AS_STRING() macro
    returning NULL.  The macro now returns a statically allocated empty
    string instead.
  ........
................

diff --git a/Include/bytearrayobject.h b/Include/bytearrayobject.h
index 265b4bbdd03a6e5177ad32534166dc3e48b3a564..8702e5a834026dcf1d4a9e41c661a65981377f83 100644 (file)
--- a/Include/bytearrayobject.h
+++ b/Include/bytearrayobject.h
@@ -44,9 +44,13 @@ PyAPI_FUNC(char *) PyByteArray_AsString(PyObject *);
 PyAPI_FUNC(int) PyByteArray_Resize(PyObject *, Py_ssize_t);
 
 /* Macros, trading safety for speed */
-#define PyByteArray_AS_STRING(self) (assert(PyByteArray_Check(self)),((PyByteArrayObject *)(self))->ob_bytes)
+#define PyByteArray_AS_STRING(self) \
+    (assert(PyByteArray_Check(self)), \
+     Py_SIZE(self) ? ((PyByteArrayObject *)(self))->ob_bytes : _PyByteArray_empty_string)
 #define PyByteArray_GET_SIZE(self)  (assert(PyByteArray_Check(self)),Py_SIZE(self))
 
+extern char _PyByteArray_empty_string[];
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py
index f2222a1eba7e88885010dfcab65cc42e7346ea22..9ccc7874abce2bb0f1270646dbd582a135212217 100644 (file)
--- a/Lib/test/test_bytes.py
+++ b/Lib/test/test_bytes.py
@@ -811,6 +811,14 @@ class ByteArrayTest(BaseBytesTest):
         self.assertRaises(BufferError, delslice)
         self.assertEquals(b, orig)
 
+    def test_empty_bytearray(self):
+        # Issue #7561: operations on empty bytearrays could crash in many
+        # situations, due to a fragile implementation of the
+        # PyByteArray_AS_STRING() C macro.
+        self.assertRaises(ValueError, int, bytearray(b''))
+        self.assertRaises((ValueError, OSError), os.mkdir, bytearray(b''))
+
+
 class AssortedBytesTest(unittest.TestCase):
     #
     # Test various combinations of bytes and bytearray

diff --git a/Misc/NEWS b/Misc/NEWS
index c3a9f5c1dc3f3d67ba3045134c946cace675db12..1fc9986e9651c7d757fa6c73ce3b7b9adcd21aab 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,11 @@ What's New in Python 3.1.2?
 Core and Builtins
 -----------------
 
+- Issue #7561: Operations on empty bytearrays (such as `int(bytearray())`)
+  could crash in many places because of the PyByteArray_AS_STRING() macro
+  returning NULL.  The macro now returns a statically allocated empty
+  string instead.
+
 - Issue #7632: Fix various str -> float conversion bugs present in 2.7
   alpha 2, including: (1) a serious 'wrong output' bug that could
   occur for long (> 40 digit) input strings, (2) a crash in dtoa.c

diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
index 835244abe74a4b2f609319b12eacd26653dc9b1c..3d7b0b2aa56c7a2e535769fce2d4fcc752bc01d2 100644 (file)
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -6,6 +6,7 @@
 #include "bytes_methods.h"
 
 static PyByteArrayObject *nullbytes = NULL;
+char _PyByteArray_empty_string[] = "";
 
 void
 PyByteArray_Fini(void)
@@ -65,10 +66,7 @@ bytearray_getbuffer(PyByteArrayObject *obj, Py_buffer *view, int flags)
         obj->ob_exports++;
         return 0;
     }
-    if (obj->ob_bytes == NULL)
-        ptr = "";
-    else
-        ptr = obj->ob_bytes;
+    ptr = (void *) PyByteArray_AS_STRING(obj);
     ret = PyBuffer_FillInfo(view, (PyObject*)obj, ptr, Py_SIZE(obj), 0, flags);
     if (ret >= 0) {
         obj->ob_exports++;
@@ -152,7 +150,7 @@ PyByteArray_FromStringAndSize(const char *bytes, Py_ssize_t size)
             Py_DECREF(new);
             return PyErr_NoMemory();
         }
-        if (bytes != NULL)
+        if (bytes != NULL && size > 0)
             memcpy(new->ob_bytes, bytes, size);
         new->ob_bytes[size] = '\0';  /* Trailing null byte */
     }