(original) (raw)

changeset: 79880:d6bf506ea13f parent: 79876:92656b5df2f2 parent: 79879:25fdf297c077 user: Nadeem Vawda nadeem.vawda@gmail.com date: Sun Oct 21 21:19:11 2012 +0200 files: Lib/test/test_bz2.py Misc/NEWS description: Merge #14398: Fix size truncation and overflow bugs in bz2 module. diff -r 92656b5df2f2 -r d6bf506ea13f Misc/NEWS --- a/Misc/NEWS Sun Oct 21 17:37:43 2012 +0200 +++ b/Misc/NEWS Sun Oct 21 21:19:11 2012 +0200 @@ -59,6 +59,8 @@ Library ------- +- Issue #14398: Fix size truncation and overflow bugs in the bz2 module. + - Issue #12692: Fix resource leak in urllib.request when talking to an HTTP server that does not include a "Connection: close" header in its responses. diff -r 92656b5df2f2 -r d6bf506ea13f Modules/_bz2module.c --- a/Modules/_bz2module.c Sun Oct 21 17:37:43 2012 +0200 +++ b/Modules/_bz2module.c Sun Oct 21 21:19:11 2012 +0200 @@ -123,7 +123,14 @@ giving us amortized linear-time behavior. Use a less-than-double growth factor to avoid excessive allocation. */ size_t size = PyBytes_GET_SIZE(*buf); - return _PyBytes_Resize(buf, size + (size >> 3) + 6); + size_t new_size = size + (size >> 3) + 6; + if (new_size > size) { + return _PyBytes_Resize(buf, new_size); + } else { /* overflow */ + PyErr_SetString(PyExc_OverflowError, + "Unable to allocate buffer - output too large"); + return -1; + } } @@ -169,10 +176,14 @@ break; if (c->bzs.avail_out == 0) { - if (grow_buffer(&result) < 0) - goto error; - c->bzs.next_out = PyBytes_AS_STRING(result) + data_size; - c->bzs.avail_out = PyBytes_GET_SIZE(result) - data_size; + size_t buffer_left = PyBytes_GET_SIZE(result) - data_size; + if (buffer_left == 0) { + if (grow_buffer(&result) < 0) + goto error; + c->bzs.next_out = PyBytes_AS_STRING(result) + data_size; + buffer_left = PyBytes_GET_SIZE(result) - data_size; + } + c->bzs.avail_out = MIN(buffer_left, UINT_MAX); } } if (data_size != PyBytes_GET_SIZE(result)) @@ -390,10 +401,14 @@ len -= d->bzs.avail_in; } if (d->bzs.avail_out == 0) { - if (grow_buffer(&result) < 0) - goto error; - d->bzs.next_out = PyBytes_AS_STRING(result) + data_size; - d->bzs.avail_out = PyBytes_GET_SIZE(result) - data_size; + size_t buffer_left = PyBytes_GET_SIZE(result) - data_size; + if (buffer_left == 0) { + if (grow_buffer(&result) < 0) + goto error; + d->bzs.next_out = PyBytes_AS_STRING(result) + data_size; + buffer_left = PyBytes_GET_SIZE(result) - data_size; + } + d->bzs.avail_out = MIN(buffer_left, UINT_MAX); } } if (data_size != PyBytes_GET_SIZE(result)) /nadeem.vawda@gmail.com