cpython: d6bf506ea13f (original) (raw)

Mercurial > cpython

changeset 79880:d6bf506ea13f

Merge #14398: Fix size truncation and overflow bugs in bz2 module. [#14398]

Nadeem Vawda nadeem.vawda@gmail.com
date	Sun, 21 Oct 2012 21:19:11 +0200
parents	92656b5df2f2(current diff)25fdf297c077(diff)
children	c8217046e2cd
files	Lib/test/test_bz2.py Misc/NEWS
diffstat	2 files changed, 26 insertions(+), 9 deletions(-)[+] [-] Misc/NEWS 2 Modules/_bz2module.c 33

line wrap: on

line diff

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -59,6 +59,8 @@ Core and Builtins Library ------- +- Issue #14398: Fix size truncation and overflow bugs in the bz2 module. +

Issue #12692: Fix resource leak in urllib.request when talking to an HTTP server that does not include a "Connection: close" header in its responses.

--- a/Modules/_bz2module.c +++ b/Modules/_bz2module.c @@ -123,7 +123,14 @@ grow_buffer(PyObject **buf) giving us amortized linear-time behavior. Use a less-than-double growth factor to avoid excessive allocation. */ size_t size = PyBytes_GET_SIZE(*buf);

return _PyBytes_Resize(buf, size + (size >> 3) + 6);

size_t new_size = size + (size >> 3) + 6;
if (new_size > size) {

   return _PyBytes_Resize(buf, new_size);[](#l3.10)

} else { /* overflow */

   PyErr_SetString(PyExc_OverflowError,[](#l3.12)

                   "Unable to allocate buffer - output too large");[](#l3.13)

```
   return -1;[](#l3.14)
```
}

} @@ -169,10 +176,14 @@ compress(BZ2Compressor *c, char *data, s break; if (c->bzs.avail_out == 0) {

       if (grow_buffer(&result) < 0)[](#l3.23)

```
           goto error;[](#l3.24)
```

       c->bzs.next_out = PyBytes_AS_STRING(result) + data_size;[](#l3.25)

       c->bzs.avail_out = PyBytes_GET_SIZE(result) - data_size;[](#l3.26)

       size_t buffer_left = PyBytes_GET_SIZE(result) - data_size;[](#l3.27)

       if (buffer_left == 0) {[](#l3.28)

           if (grow_buffer(&result) < 0)[](#l3.29)

```
               goto error;[](#l3.30)
```

           c->bzs.next_out = PyBytes_AS_STRING(result) + data_size;[](#l3.31)

           buffer_left = PyBytes_GET_SIZE(result) - data_size;[](#l3.32)

```
       }[](#l3.33)
```
```
       c->bzs.avail_out = MIN(buffer_left, UINT_MAX);[](#l3.34)
   }[](#l3.35)
```
} if (data_size != PyBytes_GET_SIZE(result)) @@ -390,10 +401,14 @@ decompress(BZ2Decompressor *d, char *dat len -= d->bzs.avail_in; } if (d->bzs.avail_out == 0) {

       if (grow_buffer(&result) < 0)[](#l3.42)

```
           goto error;[](#l3.43)
```

       d->bzs.next_out = PyBytes_AS_STRING(result) + data_size;[](#l3.44)

       d->bzs.avail_out = PyBytes_GET_SIZE(result) - data_size;[](#l3.45)

       size_t buffer_left = PyBytes_GET_SIZE(result) - data_size;[](#l3.46)

       if (buffer_left == 0) {[](#l3.47)

           if (grow_buffer(&result) < 0)[](#l3.48)

```
               goto error;[](#l3.49)
```

           d->bzs.next_out = PyBytes_AS_STRING(result) + data_size;[](#l3.50)

           buffer_left = PyBytes_GET_SIZE(result) - data_size;[](#l3.51)

```
       }[](#l3.52)
```

       d->bzs.avail_out = MIN(buffer_left, UINT_MAX);[](#l3.53)
   }[](#l3.54)

} if (data_size != PyBytes_GET_SIZE(result))