Message 229470 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	benjamin.peterson, ezio.melotti, pkt, python-dev, serhiy.storchaka, vstinner
Date	2014-10-15.16:10:29
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1413389429.25.0.689818804153.issue22643@psf.upfronthosting.co.za>
In-reply-to

Content
Benjamin, could you please first propose a patch for review instead of commiting directly your change? Especially for security related changes. + if (length > PY_SSIZE_T_MAX / 3 \|\| + length > PY_SIZE_MAX / (3 * sizeof(Py_UCS4))) { + PyErr_SetString(PyExc_OverflowError, "string is too long"); + return NULL; + } tmp = PyMem_MALLOC(sizeof(Py_UCS4) * 3 * length); PyMem_MALLOC() returns NULL if the length is larger than PY_SSIZE_T_MAX, so the overflow check doesn't look correct. The overflow check can be replaced with: if ((size_t)length > PY_SSIZE_T_MAX / (3 * sizeof(Py_UCS4))) ...

Benjamin, could you please first propose a patch for review instead of commiting directly your change? Especially for security related changes.

+    if (length > PY_SSIZE_T_MAX / 3 ||
+        length > PY_SIZE_MAX / (3 * sizeof(Py_UCS4))) {
+        PyErr_SetString(PyExc_OverflowError, "string is too long");
+        return NULL;
+    }
     tmp = PyMem_MALLOC(sizeof(Py_UCS4) * 3 * length);

PyMem_MALLOC() returns NULL if the length is larger than PY_SSIZE_T_MAX, so the overflow check doesn't look correct. The overflow check can be replaced with:

    if ((size_t)length > PY_SSIZE_T_MAX / (3 * sizeof(Py_UCS4))) ...

History
Date	User	Action	Args
2014-10-15 16:10:29	vstinner	set	recipients: + vstinner, benjamin.peterson, ezio.melotti, python-dev, serhiy.storchaka, pkt
2014-10-15 16:10:29	vstinner	set	messageid: <1413389429.25.0.689818804153.issue22643@psf.upfronthosting.co.za>
2014-10-15 16:10:29	vstinner	link	issue22643 messages
2014-10-15 16:10:29	vstinner	create