]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4b1f3e5)
Merged revisions 73677,73681 via svnmerge from
authorHirokazu Yamamoto <ocean-city@m2.ccsnet.ne.jp>
Mon, 29 Jun 2009 14:54:12 +0000 (14:54 +0000)
committerHirokazu Yamamoto <ocean-city@m2.ccsnet.ne.jp>
Mon, 29 Jun 2009 14:54:12 +0000 (14:54 +0000)
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r73677 | hirokazu.yamamoto | 2009-06-29 22:25:16 +0900 | 2 lines

  Issue #6344: Fixed a crash of mmap.read() when passed a negative argument.
  Reviewed by Amaury Forgeot d'Arc.
........
  r73681 | hirokazu.yamamoto | 2009-06-29 23:29:31 +0900 | 1 line

  Fixed NEWS.
........

Misc/NEWS patch | blob | history
Modules/mmapmodule.c patch | blob | history

diff --git a/Misc/NEWS b/Misc/NEWS
index 37b7c135e0781f0bed5d01c687b9945b5de4c58b..411df541a9b32779f97abf5fb8b4602e9be1f0fa 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -17,6 +17,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #6344: Fixed a crash of mmap.read() when passed a negative argument.
+
 - The deprecated function string.maketrans has been removed.
 
 Build
diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c
index 37584e222559f70eb46529d0839eaba7e2c5cf95..9d6d6af89ce7b4611fcf224c3278bbca4172a41f 100644 (file)
--- a/Modules/mmapmodule.c
+++ b/Modules/mmapmodule.c
@@ -238,7 +238,7 @@ static PyObject *
 mmap_read_method(mmap_object *self,
                 PyObject *args)
 {
-       Py_ssize_t num_bytes;
+       Py_ssize_t num_bytes, n;
        PyObject *result;
 
        CHECK_VALID(NULL);
@@ -246,8 +246,18 @@ mmap_read_method(mmap_object *self,
                return(NULL);
 
        /* silently 'adjust' out-of-range requests */
-       if (num_bytes > self->size - self->pos) {
-               num_bytes -= (self->pos+num_bytes) - self->size;
+       assert(self->size >= self->pos);
+       n = self->size - self->pos;
+       /* The difference can overflow, only if self->size is greater than
+        * PY_SSIZE_T_MAX.  But then the operation cannot possibly succeed,
+        * because the mapped area and the returned string each need more 
+        * than half of the addressable memory.  So we clip the size, and let
+        * the code below raise MemoryError.
+        */
+       if (n < 0)
+               n = PY_SSIZE_T_MAX;
+       if (num_bytes < 0 || num_bytes > n) {
+               num_bytes = n;
        }
        result = PyBytes_FromStringAndSize(self->data+self->pos, num_bytes);
        self->pos += num_bytes;
Unnamed repository; edit this file 'description' to name the repository.