From: Serhiy Storchaka Date: Tue, 27 Sep 2016 12:24:13 +0000 (+0300) Subject: Issue #27963: Fixed possible null pointer dereference in ctypes.set_conversion_mode(). X-Git-Tag: v2.7.13rc1~108 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=36beb5ec135142b1e800577be49238bf767f4a79;p=python Issue #27963: Fixed possible null pointer dereference in ctypes.set_conversion_mode(). Patch by Xiang Zhang. --- diff --git a/Misc/NEWS b/Misc/NEWS index c1d111ca71..43999858c9 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -42,6 +42,9 @@ Core and Builtins Library ------- +- Issue #27963: Fixed possible null pointer dereference in + ctypes.set_conversion_mode(). Patch by Xiang Zhang. + - Issue #28284: Strengthen resistance of ``_json.encode_basestring_ascii()`` to integer overflow. diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c index 419beb188b..3a12eb603e 100644 --- a/Modules/_ctypes/callproc.c +++ b/Modules/_ctypes/callproc.c @@ -1688,22 +1688,41 @@ between unicode and strings. Returns the previous values.\n"; static PyObject * set_conversion_mode(PyObject *self, PyObject *args) { - char *coding, *mode; + char *coding, *mode, *errors, *encoding=NULL; PyObject *result; if (!PyArg_ParseTuple(args, "zs:set_conversion_mode", &coding, &mode)) return NULL; - result = Py_BuildValue("(zz)", _ctypes_conversion_encoding, _ctypes_conversion_errors); + + result = Py_BuildValue("(zz)", _ctypes_conversion_encoding, + _ctypes_conversion_errors); + if (!result) { + return NULL; + } + if (coding) { - PyMem_Free(_ctypes_conversion_encoding); - _ctypes_conversion_encoding = PyMem_Malloc(strlen(coding) + 1); - strcpy(_ctypes_conversion_encoding, coding); - } else { - _ctypes_conversion_encoding = NULL; + encoding = PyMem_Malloc(strlen(coding) + 1); + if (!encoding) { + Py_DECREF(result); + return PyErr_NoMemory(); + } + strcpy(encoding, coding); + } + + errors = PyMem_Malloc(strlen(mode) + 1); + if (!errors) { + Py_DECREF(result); + PyMem_Free(encoding); + return PyErr_NoMemory(); } + strcpy(errors, mode); + + PyMem_Free(_ctypes_conversion_encoding); + _ctypes_conversion_encoding = encoding; + PyMem_Free(_ctypes_conversion_errors); - _ctypes_conversion_errors = PyMem_Malloc(strlen(mode) + 1); - strcpy(_ctypes_conversion_errors, mode); + _ctypes_conversion_errors = errors; + return result; } #endif