Issue #7561: Operations on empty bytearrays (such as `int(bytearray())`)

could crash in many places because of the PyByteArray_AS_STRING() macro
returning NULL.  The macro now returns a statically allocated empty
string instead.

diff --git a/Include/bytearrayobject.h b/Include/bytearrayobject.h
index 265b4bbdd03a6e5177ad32534166dc3e48b3a564..8702e5a834026dcf1d4a9e41c661a65981377f83 100644 (file)
--- a/Include/bytearrayobject.h
+++ b/Include/bytearrayobject.h
@@ -44,9 +44,13 @@ PyAPI_FUNC(char *) PyByteArray_AsString(PyObject *);
 PyAPI_FUNC(int) PyByteArray_Resize(PyObject *, Py_ssize_t);
 
 /* Macros, trading safety for speed */
-#define PyByteArray_AS_STRING(self) (assert(PyByteArray_Check(self)),((PyByteArrayObject *)(self))->ob_bytes)
+#define PyByteArray_AS_STRING(self) \
+    (assert(PyByteArray_Check(self)), \
+     Py_SIZE(self) ? ((PyByteArrayObject *)(self))->ob_bytes : _PyByteArray_empty_string)
 #define PyByteArray_GET_SIZE(self)  (assert(PyByteArray_Check(self)),Py_SIZE(self))
 
+extern char _PyByteArray_empty_string[];
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py
index f2c9aa39150b0b7926d16c03837462d2e676f38f..666894fb452a7a2e4aa9e8280e5837d6c9382cc2 100644 (file)
--- a/Lib/test/test_bytes.py
+++ b/Lib/test/test_bytes.py
@@ -783,6 +783,13 @@ class ByteArrayTest(BaseBytesTest):
         self.assertRaises(BufferError, delslice)
         self.assertEquals(b, orig)
 
+    def test_empty_bytearray(self):
+        # Issue #7561: operations on empty bytearrays could crash in many
+        # situations, due to a fragile implementation of the
+        # PyByteArray_AS_STRING() C macro.
+        self.assertRaises(ValueError, int, bytearray(b''))
+
+
 class AssortedBytesTest(unittest.TestCase):
     #
     # Test various combinations of bytes and bytearray

diff --git a/Misc/NEWS b/Misc/NEWS
index bc8529a43185740d28c1c0b16c888260d2775663..4806f2626cb7be62688d40fde348cca5b0b23f32 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,11 @@ What's New in Python 2.7 alpha 3?
 Core and Builtins
 -----------------
 
+- Issue #7561: Operations on empty bytearrays (such as `int(bytearray())`)
+  could crash in many places because of the PyByteArray_AS_STRING() macro
+  returning NULL.  The macro now returns a statically allocated empty
+  string instead.
+
 - Issue #7622: Improve the split(), rsplit(), splitlines() and replace()
   methods of bytes, bytearray and unicode objects by using a common
   implementation based on stringlib's fast search.  Patch by Florent Xicluna.

diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
index 308bd07c5148f9bf91b57226ff0cb429868f5191..fdeec4cf7a3fcae45fd0db58b27f34a980aebe6a 100644 (file)
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -5,23 +5,16 @@
 #include "structmember.h"
 #include "bytes_methods.h"
 
-static PyByteArrayObject *nullbytes = NULL;
+char _PyByteArray_empty_string[] = "";
 
 void
 PyByteArray_Fini(void)
 {
-    Py_CLEAR(nullbytes);
 }
 
 int
 PyByteArray_Init(void)
 {
-    nullbytes = PyObject_New(PyByteArrayObject, &PyByteArray_Type);
-    if (nullbytes == NULL)
-        return 0;
-    nullbytes->ob_bytes = NULL;
-    Py_SIZE(nullbytes) = nullbytes->ob_alloc = 0;
-    nullbytes->ob_exports = 0;
     return 1;
 }
 
@@ -74,7 +67,7 @@ bytearray_buffer_getreadbuf(PyByteArrayObject *self, Py_ssize_t index, const voi
                 "accessing non-existent bytes segment");
         return -1;
     }
-    *ptr = (void *)self->ob_bytes;
+    *ptr = (void *)PyByteArray_AS_STRING(self);
     return Py_SIZE(self);
 }
 
@@ -86,7 +79,7 @@ bytearray_buffer_getwritebuf(PyByteArrayObject *self, Py_ssize_t index, const vo
                 "accessing non-existent bytes segment");
         return -1;
     }
-    *ptr = (void *)self->ob_bytes;
+    *ptr = (void *)PyByteArray_AS_STRING(self);
     return Py_SIZE(self);
 }
 
@@ -106,7 +99,7 @@ bytearray_buffer_getcharbuf(PyByteArrayObject *self, Py_ssize_t index, const cha
                 "accessing non-existent bytes segment");
         return -1;
     }
-    *ptr = self->ob_bytes;
+    *ptr = PyByteArray_AS_STRING(self);
     return Py_SIZE(self);
 }
 
@@ -119,10 +112,7 @@ bytearray_getbuffer(PyByteArrayObject *obj, Py_buffer *view, int flags)
                 obj->ob_exports++;
                 return 0;
         }
-        if (obj->ob_bytes == NULL)
-                ptr = "";
-        else
-                ptr = obj->ob_bytes;
+        ptr = (void *) PyByteArray_AS_STRING(obj);
         ret = PyBuffer_FillInfo(view, (PyObject*)obj, ptr, Py_SIZE(obj), 0, flags);
         if (ret >= 0) {
                 obj->ob_exports++;
@@ -201,7 +191,7 @@ PyByteArray_FromStringAndSize(const char *bytes, Py_ssize_t size)
             Py_DECREF(new);
             return PyErr_NoMemory();
         }
-        if (bytes != NULL)
+        if (bytes != NULL && size > 0)
             memcpy(new->ob_bytes, bytes, size);
         new->ob_bytes[size] = '\0';  /* Trailing null byte */
     }
@@ -1114,7 +1104,6 @@ bytearray_dealloc(PyByteArrayObject *self)
 #define STRINGLIB_LEN PyByteArray_GET_SIZE
 #define STRINGLIB_STR PyByteArray_AS_STRING
 #define STRINGLIB_NEW PyByteArray_FromStringAndSize
-#define STRINGLIB_EMPTY nullbytes
 #define STRINGLIB_ISSPACE Py_ISSPACE
 #define STRINGLIB_ISLINEBREAK(x) ((x == '\n') || (x == '\r'))
 #define STRINGLIB_CHECK_EXACT PyByteArray_CheckExact