Message 257977 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Ramin Farajpour Cami
Recipients	Ramin Farajpour Cami, gvanrossum
Date	2016-01-11.17:14:37
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1452532478.13.0.192940570708.issue26059@psf.upfronthosting.co.za>
In-reply-to

Content
static char * mymemreplace(const char str, Py_ssize_t len, const char pat, Py_ssize_t pat_len, pattern string to find / const char sub, Py_ssize_t sub_len, substitution string / Py_ssize_t count, number of replacements / Py_ssize_t out_len) { [...] new_len = len + nfound(sub_len - pat_len); <<<< Unchecked arithmetic can overflow here. if (new_len == 0) { /* Have to allocate something for the caller to free(). / out_s = (char )PyMem_MALLOC(1); if (out_s == NULL) return NULL; out_s[0] = '\0'; } else { assert(new_len > 0); new_s = (char )PyMem_MALLOC(new_len); <<<< An allocation is performed using overflowed value. if (new_s == NULL) return NULL; out_s = new_s; for (; count > 0 && len > 0; --count) { <<<< Memory is copied to new_s using len, which can be greater than the overflowed new_len value. / find index of next instance of pattern / offset = mymemfind(str, len, pat, pat_len); if (offset == -1) break; / copy non matching part of input string / memcpy(new_s, str, offset); str += offset + pat_len; len -= offset + pat_len; / copy substitute into the output string / new_s += offset; memcpy(new_s, sub, sub_len); new_s += sub_len; } / copy any remaining values into output string */ if (len > 0) memcpy(new_s, str, len); }

static char *
mymemreplace(const char *str, Py_ssize_t len,           
         const char *pat, Py_ssize_t pat_len,            pattern string to find */
         const char *sub, Py_ssize_t sub_len,            substitution string */
         Py_ssize_t count,                               number of replacements */
         Py_ssize_t *out_len)
{
    [...]

    new_len = len + nfound*(sub_len - pat_len); <<<< Unchecked arithmetic can overflow here.
    if (new_len == 0) {
        /* Have to allocate something for the caller to free(). */
        out_s = (char *)PyMem_MALLOC(1);
        if (out_s == NULL)
            return NULL;
        out_s[0] = '\0';
    }
    else {
        assert(new_len > 0);
        new_s = (char *)PyMem_MALLOC(new_len); <<<< An allocation is performed using overflowed value.
        if (new_s == NULL)
            return NULL;
        out_s = new_s;

        for (; count > 0 && len > 0; --count) { <<<< Memory is copied to new_s using len, which can be greater than the overflowed new_len value.
            /* find index of next instance of pattern */
            offset = mymemfind(str, len, pat, pat_len);
            if (offset == -1)
                break;

            /* copy non matching part of input string */
            memcpy(new_s, str, offset);
            str += offset + pat_len;
            len -= offset + pat_len;

            /* copy substitute into the output string */
            new_s += offset;
            memcpy(new_s, sub, sub_len);
            new_s += sub_len;
        }
        /* copy any remaining values into output string */
        if (len > 0)
            memcpy(new_s, str, len);
    }

History
Date	User	Action	Args
2016-01-11 17:14:38	Ramin Farajpour Cami	set	recipients: + Ramin Farajpour Cami, gvanrossum
2016-01-11 17:14:38	Ramin Farajpour Cami	set	messageid: <1452532478.13.0.192940570708.issue26059@psf.upfronthosting.co.za>
2016-01-11 17:14:38	Ramin Farajpour Cami	link	issue26059 messages
2016-01-11 17:14:37	Ramin Farajpour Cami	create