From 550b945fd66f1c6837a53fbf29dc8e524297b8c3 Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Mon, 23 Jun 2014 20:12:27 -0700 Subject: [PATCH] avoid overflow with large buffer sizes and/or offsets (closes #21831) --- Lib/test/test_buffer.py | 6 ++++++ Misc/NEWS | 3 +++ Objects/bufferobject.c | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/Lib/test/test_buffer.py b/Lib/test/test_buffer.py index ac8e636ba4..a02c5f7e36 100644 --- a/Lib/test/test_buffer.py +++ b/Lib/test/test_buffer.py @@ -4,6 +4,7 @@ For now, tests just new or changed functionality. """ +import sys import unittest from test import test_support @@ -29,6 +30,11 @@ class BufferTests(unittest.TestCase): m = memoryview(b) # Should not raise an exception self.assertEqual(m.tobytes(), s) + def test_large_buffer_size_and_offset(self): + data = bytearray('hola mundo') + buf = buffer(data, sys.maxsize, sys.maxsize) + self.assertEqual(buf[:4096], "") + def test_main(): with test_support.check_py3k_warnings(("buffer.. not supported", diff --git a/Misc/NEWS b/Misc/NEWS index 3238d06ec7..a077b4d6da 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ What's New in Python 2.7.8? Core and Builtins ----------------- +- Issue #21831: Avoid integer overflow when large sizes and offsets are given to + the buffer type. + - Issue #1856: Avoid crashes and lockups when daemon threads run while the interpreter is shutting down; instead, these threads are now killed when they try to take the GIL. diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c index 23b97b23d9..bcfab71787 100644 --- a/Objects/bufferobject.c +++ b/Objects/bufferobject.c @@ -88,7 +88,7 @@ get_buf(PyBufferObject *self, void **ptr, Py_ssize_t *size, *size = count; else *size = self->b_size; - if (offset + *size > count) + if (*size > count - offset) *size = count - offset; } return 1; @@ -875,4 +875,4 @@ PyTypeObject PyBuffer_Type = { 0, /* tp_init */ 0, /* tp_alloc */ buffer_new, /* tp_new */ -}; \ No newline at end of file +}; -- 2.50.1