Issue #6344: Fixed a crash of mmap.read() when passed a negative argument.

Reviewed by Amaury Forgeot d'Arc.

diff --git a/Misc/NEWS b/Misc/NEWS
index 5ab68bc7a0bedcc31c66a08c9ce721e3c21beba4..d021fd28cebb5f0d6d999c94ebd0732cdedf75ba 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,8 @@ What's New in Python 2.7 alpha 1
 Core and Builtins
 -----------------
 
+- Issue #6344: Fixed a crash of mmap.read() when passed a negative argument.
+
 - Issue #4856: Remove checks for win NT.
 
 - Issue #2016: Fixed a crash in a corner case where the dictionary of keyword

diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c
index e1970cbb53be36d3b3eda6713d17acfb4ad260d9..5e0b3ad6211bed5cc986405a1fd5ba670975a9fd 100644 (file)
--- a/Modules/mmapmodule.c
+++ b/Modules/mmapmodule.c
@@ -232,7 +232,7 @@ static PyObject *
 mmap_read_method(mmap_object *self,
                 PyObject *args)
 {
-       Py_ssize_t num_bytes;
+       Py_ssize_t num_bytes, n;
        PyObject *result;
 
        CHECK_VALID(NULL);
@@ -240,8 +240,18 @@ mmap_read_method(mmap_object *self,
                return(NULL);
 
        /* silently 'adjust' out-of-range requests */
-       if (num_bytes > self->size - self->pos) {
-               num_bytes -= (self->pos+num_bytes) - self->size;
+       assert(self->size >= self->pos);
+       n = self->size - self->pos;
+       /* The difference can overflow, only if self->size is greater than
+        * PY_SSIZE_T_MAX.  But then the operation cannot possibly succeed,
+        * because the mapped area and the returned string each need more 
+        * than half of the addressable memory.  So we clip the size, and let
+        * the code below raise MemoryError.
+        */
+       if (n < 0)
+               n = PY_SSIZE_T_MAX;
+       if (num_bytes < 0 || num_bytes > n) {
+               num_bytes = n;
        }
        result = Py_BuildValue("s#", self->data+self->pos, num_bytes);
        self->pos += num_bytes;