From: Serhiy Storchaka <storchaka@gmail.com>
Date: Tue, 27 Sep 2016 12:24:13 +0000 (+0300)
Subject: Issue #27963: Fixed possible null pointer dereference in ctypes.set_conversion_mode().
X-Git-Tag: v2.7.13rc1~108
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=36beb5ec135142b1e800577be49238bf767f4a79;p=python

Issue #27963: Fixed possible null pointer dereference in ctypes.set_conversion_mode().
Patch by Xiang Zhang.
---

diff --git a/Misc/NEWS b/Misc/NEWS
index c1d111ca71..43999858c9 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -42,6 +42,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #27963: Fixed possible null pointer dereference in
+  ctypes.set_conversion_mode().  Patch by Xiang Zhang.
+
 - Issue #28284: Strengthen resistance of ``_json.encode_basestring_ascii()`` to
   integer overflow.
 
diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
index 419beb188b..3a12eb603e 100644
--- a/Modules/_ctypes/callproc.c
+++ b/Modules/_ctypes/callproc.c
@@ -1688,22 +1688,41 @@ between unicode and strings.  Returns the previous values.\n";
 static PyObject *
 set_conversion_mode(PyObject *self, PyObject *args)
 {
-    char *coding, *mode;
+    char *coding, *mode, *errors, *encoding=NULL;
     PyObject *result;
 
     if (!PyArg_ParseTuple(args, "zs:set_conversion_mode", &coding, &mode))
         return NULL;
-    result = Py_BuildValue("(zz)", _ctypes_conversion_encoding, _ctypes_conversion_errors);
+
+    result = Py_BuildValue("(zz)", _ctypes_conversion_encoding,
+                           _ctypes_conversion_errors);
+    if (!result) {
+        return NULL;
+    }
+
     if (coding) {
-        PyMem_Free(_ctypes_conversion_encoding);
-        _ctypes_conversion_encoding = PyMem_Malloc(strlen(coding) + 1);
-        strcpy(_ctypes_conversion_encoding, coding);
-    } else {
-        _ctypes_conversion_encoding = NULL;
+        encoding = PyMem_Malloc(strlen(coding) + 1);
+        if (!encoding) {
+            Py_DECREF(result);
+            return PyErr_NoMemory();
+        }
+        strcpy(encoding, coding);
+    }
+
+    errors = PyMem_Malloc(strlen(mode) + 1);
+    if (!errors) {
+        Py_DECREF(result);
+        PyMem_Free(encoding);
+        return PyErr_NoMemory();
     }
+    strcpy(errors, mode);
+
+    PyMem_Free(_ctypes_conversion_encoding);
+    _ctypes_conversion_encoding = encoding;
+
     PyMem_Free(_ctypes_conversion_errors);
-    _ctypes_conversion_errors = PyMem_Malloc(strlen(mode) + 1);
-    strcpy(_ctypes_conversion_errors, mode);
+    _ctypes_conversion_errors = errors;
+
     return result;
 }
 #endif