From: Gregory P. Smith Date: Wed, 9 Apr 2008 23:41:13 +0000 (+0000) Subject: Backport r62261 from trunk: X-Git-Tag: v2.5.3c1~108 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=14acde30f634c1b52e498e29dd772c4fa9f41380;p=python Backport r62261 from trunk: Prevent PyString_FromStringAndSize() from passing negative sizes on to lower level memory allocation functions. Raise a SystemError and return NULL instead. --- diff --git a/Misc/NEWS b/Misc/NEWS index 357fa4f0cb..aeee3f8f55 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -30,13 +30,15 @@ Core and builtins - Issue #2238: Some syntax errors in *args and **kwargs expressions could give bogus error messages. +- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size + parameter but was not verifying that it was greater than zero. Values + less than zero will now raise a SystemError and return NULL to indicate a + bug in the calling C code. + Library ------- -- zlib.decompressobj().flush(value) no longer crashes the interpreter when - passed a value less than or equal to zero. - - Issue #2495: tokenize.untokenize now inserts a space between two consecutive string literals; previously, ["" ""] was rendered as [""""], which is incorrect python code. @@ -72,6 +74,9 @@ Library Extension Modules ----------------- +- zlib.decompressobj().flush(value) no longer crashes the interpreter when + passed a value less than or equal to zero. + Tests ----- diff --git a/Objects/stringobject.c b/Objects/stringobject.c index e1e287fba1..7cd613dd87 100644 --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -54,6 +54,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t size) { register PyStringObject *op; assert(size >= 0); + if (size < 0) { + PyErr_SetString(PyExc_SystemError, + "Negative size passed to PyString_FromStringAndSize"); + return NULL; + } if (size == 0 && (op = nullstring) != NULL) { #ifdef COUNT_ALLOCS null_strings++;