Message257977
static char *
mymemreplace(const char *str, Py_ssize_t len,
const char *pat, Py_ssize_t pat_len, pattern string to find */
const char *sub, Py_ssize_t sub_len, substitution string */
Py_ssize_t count, number of replacements */
Py_ssize_t *out_len)
{
[...]
new_len = len + nfound*(sub_len - pat_len); <<<< Unchecked arithmetic can overflow here.
if (new_len == 0) {
/* Have to allocate something for the caller to free(). */
out_s = (char *)PyMem_MALLOC(1);
if (out_s == NULL)
return NULL;
out_s[0] = '\0';
}
else {
assert(new_len > 0);
new_s = (char *)PyMem_MALLOC(new_len); <<<< An allocation is performed using overflowed value.
if (new_s == NULL)
return NULL;
out_s = new_s;
for (; count > 0 && len > 0; --count) { <<<< Memory is copied to new_s using len, which can be greater than the overflowed new_len value.
/* find index of next instance of pattern */
offset = mymemfind(str, len, pat, pat_len);
if (offset == -1)
break;
/* copy non matching part of input string */
memcpy(new_s, str, offset);
str += offset + pat_len;
len -= offset + pat_len;
/* copy substitute into the output string */
new_s += offset;
memcpy(new_s, sub, sub_len);
new_s += sub_len;
}
/* copy any remaining values into output string */
if (len > 0)
memcpy(new_s, str, len);
} |
|
Date |
User |
Action |
Args |
2016-01-11 17:14:38 | Ramin Farajpour Cami | set | recipients:
+ Ramin Farajpour Cami, gvanrossum |
2016-01-11 17:14:38 | Ramin Farajpour Cami | set | messageid: <1452532478.13.0.192940570708.issue26059@psf.upfronthosting.co.za> |
2016-01-11 17:14:38 | Ramin Farajpour Cami | link | issue26059 messages |
2016-01-11 17:14:37 | Ramin Farajpour Cami | create | |
|