(original) (raw)

changeset: 80015:102df748572d branch: 3.2 parent: 80010:652286ee23f8 user: Mark Dickinson mdickinson@enthought.com date: Sun Oct 28 10🔞03 2012 +0000 files: Lib/test/test_unicode.py Misc/NEWS Objects/stringlib/formatter.h Objects/stringlib/string_format.h Objects/unicodeobject.c description: Issue #14700: Fix buggy overflow checks for large precision and width in new-style and old-style formatting. diff -r 652286ee23f8 -r 102df748572d Lib/test/test_unicode.py --- a/Lib/test/test_unicode.py Sun Oct 28 10:51:35 2012 +0100 +++ b/Lib/test/test_unicode.py Sun Oct 28 10🔞03 2012 +0000 @@ -906,6 +906,21 @@ self.assertRaises(ValueError, '{}'.format_map, 'a') self.assertRaises(ValueError, '{a} {}'.format_map, {"a" : 2, "b" : 1}) + def test_format_huge_precision(self): + format_string = ".{}f".format(sys.maxsize + 1) + with self.assertRaises(ValueError): + result = format(2.34, format_string) + + def test_format_huge_width(self): + format_string = "{}f".format(sys.maxsize + 1) + with self.assertRaises(ValueError): + result = format(2.34, format_string) + + def test_format_huge_item_number(self): + format_string = "{{{}:.6f}}".format(sys.maxsize + 1) + with self.assertRaises(ValueError): + result = format_string.format(2.34) + def test_format_auto_numbering(self): class C: def __init__(self, x=100): @@ -990,6 +1005,18 @@ self.assertEqual('%f' % INF, 'inf') self.assertEqual('%F' % INF, 'INF') + @support.cpython_only + def test_formatting_huge_precision(self): + from _testcapi import INT_MAX + format_string = "%.{}f".format(INT_MAX + 1) + with self.assertRaises(ValueError): + result = format_string % 2.34 + + def test_formatting_huge_width(self): + format_string = "%{}f".format(sys.maxsize + 1) + with self.assertRaises(ValueError): + result = format_string % 2.34 + def test_startswith_endswith_errors(self): for meth in ('foo'.startswith, 'foo'.endswith): with self.assertRaises(TypeError) as cm: diff -r 652286ee23f8 -r 102df748572d Misc/NEWS --- a/Misc/NEWS Sun Oct 28 10:51:35 2012 +0100 +++ b/Misc/NEWS Sun Oct 28 10🔞03 2012 +0000 @@ -10,6 +10,9 @@ Core and Builtins ----------------- +- Issue #14700: Fix buggy overflow checks when handling large precisions and + widths in old-style and new-style formatting. + - Issue #6074: Ensure cached bytecode files can always be updated by the user that created them, even when the source file is read-only. diff -r 652286ee23f8 -r 102df748572d Objects/stringlib/formatter.h --- a/Objects/stringlib/formatter.h Sun Oct 28 10:51:35 2012 +0100 +++ b/Objects/stringlib/formatter.h Sun Oct 28 10🔞03 2012 +0000 @@ -73,7 +73,7 @@ get_integer(STRINGLIB_CHAR **ptr, STRINGLIB_CHAR *end, Py_ssize_t *result) { - Py_ssize_t accumulator, digitval, oldaccumulator; + Py_ssize_t accumulator, digitval; int numdigits; accumulator = numdigits = 0; for (;;(*ptr)++, numdigits++) { @@ -83,19 +83,17 @@ if (digitval < 0) break; /* - This trick was copied from old Unicode format code. It's cute, - but would really suck on an old machine with a slow divide - implementation. Fortunately, in the normal case we do not - expect too many digits. + Detect possible overflow before it happens: + + accumulator * 10 + digitval > PY_SSIZE_T_MAX if and only if + accumulator > (PY_SSIZE_T_MAX - digitval) / 10. */ - oldaccumulator = accumulator; - accumulator *= 10; - if ((accumulator+10)/10 != oldaccumulator+1) { + if (accumulator > (PY_SSIZE_T_MAX - digitval) / 10) { PyErr_Format(PyExc_ValueError, "Too many decimal digits in format string"); return -1; } - accumulator += digitval; + accumulator = accumulator * 10 + digitval; } *result = accumulator; return numdigits; diff -r 652286ee23f8 -r 102df748572d Objects/stringlib/string_format.h --- a/Objects/stringlib/string_format.h Sun Oct 28 10:51:35 2012 +0100 +++ b/Objects/stringlib/string_format.h Sun Oct 28 10🔞03 2012 +0000 @@ -197,7 +197,6 @@ { Py_ssize_t accumulator = 0; Py_ssize_t digitval; - Py_ssize_t oldaccumulator; STRINGLIB_CHAR *p; /* empty string is an error */ @@ -209,19 +208,17 @@ if (digitval < 0) return -1; /* - This trick was copied from old Unicode format code. It's cute, - but would really suck on an old machine with a slow divide - implementation. Fortunately, in the normal case we do not - expect too many digits. + Detect possible overflow before it happens: + + accumulator * 10 + digitval > PY_SSIZE_T_MAX if and only if + accumulator > (PY_SSIZE_T_MAX - digitval) / 10. */ - oldaccumulator = accumulator; - accumulator *= 10; - if ((accumulator+10)/10 != oldaccumulator+1) { + if (accumulator > (PY_SSIZE_T_MAX - digitval) / 10) { PyErr_Format(PyExc_ValueError, "Too many decimal digits in format string"); return -1; } - accumulator += digitval; + accumulator = accumulator * 10 + digitval; } return accumulator; } diff -r 652286ee23f8 -r 102df748572d Objects/unicodeobject.c --- a/Objects/unicodeobject.c Sun Oct 28 10:51:35 2012 +0100 +++ b/Objects/unicodeobject.c Sun Oct 28 10🔞03 2012 +0000 @@ -9648,7 +9648,7 @@ c = *fmt++; if (c < '0' || c > '9') break; - if ((width*10) / 10 != width) { + if (width > (PY_SSIZE_T_MAX - ((int)c - '0')) / 10) { PyErr_SetString(PyExc_ValueError, "width too big"); goto onError; @@ -9683,7 +9683,7 @@ c = *fmt++; if (c < '0' || c > '9') break; - if ((prec*10) / 10 != prec) { + if (prec > (INT_MAX - ((int)c - '0')) / 10) { PyErr_SetString(PyExc_ValueError, "prec too big"); goto onError; /mdickinson@enthought.com