cpython: a84ae2ccd220 (original) (raw)

Mercurial > cpython

changeset 94653:a84ae2ccd220

Issue #23450: Fixed possible integer overflows. [#23450]

Serhiy Storchaka storchaka@gmail.com
date	Mon, 16 Feb 2015 20:52:17 +0200
parents	d12c7938c4b0
children	c0e79e080307
files	Modules/_ctypes/_ctypes.c Modules/_elementtree.c Modules/_sqlite/row.c Modules/_tkinter.c Objects/bytesobject.c Objects/obmalloc.c Python/codecs.c Python/marshal.c
diffstat	8 files changed, 64 insertions(+), 50 deletions(-)[+] [-] Modules/_ctypes/_ctypes.c 2 Modules/_elementtree.c 57 Modules/_sqlite/row.c 2 Modules/_tkinter.c 45 Objects/bytesobject.c 2 Objects/obmalloc.c 2 Python/codecs.c 2 Python/marshal.c 2

line wrap: on

line diff

--- a/Modules/_ctypes/_ctypes.c +++ b/Modules/_ctypes/_ctypes.c @@ -301,7 +301,7 @@ char * char *new_prefix; char *result; char buf[32];

int prefix_len;

Py_ssize_t prefix_len; int k; prefix_len = 32 * ndim + 3;

--- a/Modules/_elementtree.c +++ b/Modules/_elementtree.c @@ -11,6 +11,8 @@ -------------------------------------------------------------------- / +#define PY_SSIZE_T_CLEAN + #include "Python.h" #include "structmember.h" @@ -185,8 +187,8 @@ typedef struct { PyObject attrib; / child elements */

int length; /* actual number of items */
int allocated; /* allocated items */

Py_ssize_t length; /* actual number of items */
Py_ssize_t allocated; /* allocated items */

/* this either points to _children or to a malloced buffer / PyObject children; @@ -251,7 +253,7 @@ LOCAL(void) dealloc_extra(ElementObject self) { ElementObjectExtra *myextra;

int i;

Py_ssize_t i;

if (!self->extra) return; @@ -429,9 +431,9 @@ element_init(PyObject self, PyObject a } LOCAL(int) -element_resize(ElementObject self, int extra) +element_resize(ElementObject self, Py_ssize_t extra) {

int size;

Py_ssize_t size; PyObject* children; / make sure self->children can hold the given number of extra @@ -442,7 +444,7 @@ element_resize(ElementObject* self, int return -1; }

size = self->extra->length + extra;

size = self->extra->length + extra; /* never overflows */

if (size > self->extra->allocated) { /* use Python 2.4's list growth strategy / @@ -453,6 +455,8 @@ element_resize(ElementObject self, int * be safe. */ size = size ? size : 1;

   if ((size_t)size > PY_SSIZE_T_MAX/sizeof(PyObject*))[](#l2.57)

       goto nomemory;[](#l2.58)
   if (self->extra->children != self->extra->_children) {[](#l2.59)
       /* Coverity CID #182 size_error: Allocating 1 bytes to pointer[](#l2.60)
        * "children", which needs at least 4 bytes. Although it's a[](#l2.61)

@@ -613,7 +617,7 @@ element_gc_traverse(ElementObject *self, Py_VISIT(JOIN_OBJ(self->tail)); if (self->extra) {

```
   int i;[](#l2.66)
```

   Py_ssize_t i;[](#l2.67)
   Py_VISIT(self->extra->attrib);[](#l2.68)

for (i = 0; i < self->extra->length; ++i) @@ -689,7 +693,7 @@ element_clearmethod(ElementObject* self, static PyObject* element_copy(ElementObject* self, PyObject* args) {

int i;

Py_ssize_t i; ElementObject* element; if (!PyArg_ParseTuple(args, ":copy")) @@ -728,7 +732,7 @@ element_copy(ElementObject* self, PyObje static PyObject* element_deepcopy(ElementObject* self, PyObject* args) {

int i;

Py_ssize_t i; ElementObject* element; PyObject* tag; PyObject* attrib; @@ -839,7 +843,7 @@ element_sizeof(PyObject* myself, PyObjec static PyObject * element_getstate(ElementObject *self) {

int i, noattrib;

Py_ssize_t i, noattrib; PyObject instancedict = NULL, children; / Build a list of children. / @@ -1077,7 +1081,7 @@ element_extend(ElementObject self, PyOb static PyObject element_find(ElementObject *self, PyObject *args, PyObject *kwds) {

int i;

Py_ssize_t i; PyObject* tag; PyObject* namespaces = Py_None; static char *kwlist[] = {"path", "namespaces", 0}; @@ -1112,7 +1116,7 @@ element_find(ElementObject self, PyObje static PyObject element_findtext(ElementObject *self, PyObject *args, PyObject *kwds) {

int i;

Py_ssize_t i; PyObject* tag; PyObject* default_value = Py_None; PyObject* namespaces = Py_None; @@ -1153,7 +1157,7 @@ element_findtext(ElementObject self, Py static PyObject element_findall(ElementObject *self, PyObject *args, PyObject *kwds) {

int i;

Py_ssize_t i; PyObject* out; PyObject* tag; PyObject* namespaces = Py_None; @@ -1238,7 +1242,7 @@ element_get(ElementObject* self, PyObjec static PyObject* element_getchildren(ElementObject* self, PyObject* args) {

int i;

Py_ssize_t i; PyObject* list; /* FIXME: report as deprecated? / @@ -1310,11 +1314,9 @@ element_getitem(PyObject self_, Py_ssiz static PyObject* element_insert(ElementObject* self, PyObject* args) {

int i;

int index;

Py_ssize_t index, i; PyObject* element;

if (!PyArg_ParseTuple(args, "iO!:insert", &index,

if (!PyArg_ParseTuple(args, "nO!:insert", &index, &Element_Type, &element)) return NULL;

@@ -1402,7 +1404,7 @@ element_makeelement(PyObject* self, PyOb static PyObject* element_remove(ElementObject* self, PyObject* args) {

int i;

Py_ssize_t i;

PyObject* element; if (!PyArg_ParseTuple(args, "O!:remove", &Element_Type, &element)) @@ -1481,7 +1483,7 @@ static int element_setitem(PyObject* self_, Py_ssize_t index, PyObject* item) { ElementObject* self = (ElementObject*) self_;

int i;

Py_ssize_t i; PyObject* old; if (!self->extra || index < 0 || index >= self->extra->length) { @@ -2819,12 +2821,13 @@ makeuniversal(XMLParserObject* self, con

message string is the default for the given error_code. */ static void -expat_set_error(enum XML_Error error_code, int line, int column, char *message) +expat_set_error(enum XML_Error error_code, Py_ssize_t line, Py_ssize_t column,

           const char *message)[](#l2.172)

{ PyObject *errmsg, *error, *position, *code; elementtreestate *st = ET_STATE_GLOBAL;

errmsg = PyUnicode_FromFormat("%s: line %d, column %d",

errmsg = PyUnicode_FromFormat("%s: line %zd, column %zd", message ? message : EXPAT(ErrorString)(error_code), line, column); if (errmsg == NULL) @@ -2848,7 +2851,7 @@ expat_set_error(enum XML_Error error_cod } Py_DECREF(code);

position = Py_BuildValue("(ii)", line, column);

position = Py_BuildValue("(nn)", line, column); if (!position) { Py_DECREF(error); return;

@@ -3477,8 +3480,14 @@ xmlparser_parse_whole(XMLParserObject* s break; }

   if (PyBytes_GET_SIZE(buffer) > INT_MAX) {[](#l2.195)

```
       Py_DECREF(buffer);[](#l2.196)
```
```
       Py_DECREF(reader);[](#l2.197)
```

       PyErr_SetString(PyExc_OverflowError, "size does not fit in an int");[](#l2.198)

```
       return NULL;[](#l2.199)
```

   }[](#l2.200)
   res = expat_parse([](#l2.201)

       self, PyBytes_AS_STRING(buffer), PyBytes_GET_SIZE(buffer), 0[](#l2.202)

       self, PyBytes_AS_STRING(buffer), (int)PyBytes_GET_SIZE(buffer), 0[](#l2.203)
       );[](#l2.204)

Py_DECREF(buffer);

--- a/Modules/_sqlite/row.c +++ b/Modules/sqlite/row.c @@ -159,7 +159,7 @@ Py_ssize_t pysqlite_row_length(pysqlite PyObject* pysqlite_row_keys(pysqlite_Row* self, PyObject* args, PyObject* kwargs) { PyObject* list;

int nitems, i;

Py_ssize_t nitems, i;

list = PyList_New(0); if (!list) {

--- a/Modules/_tkinter.c +++ b/Modules/_tkinter.c @@ -21,6 +21,7 @@ Copyright (C) 1994 Steen Lumholt. */ +#define PY_SSIZE_T_CLEAN #include "Python.h" #include <ctype.h> @@ -34,7 +35,7 @@ Copyright (C) 1994 Steen Lumholt. #endif #define CHECK_SIZE(size, elemsize) [](#l4.14)

((size_t)(size) <= Py_MAX((size_t)INT_MAX, UINT_MAX / (size_t)(elemsize)))

((size_t)(size) <= Py_MIN((size_t)INT_MAX, UINT_MAX / (size_t)(elemsize)))

/* If Tcl is compiled for threads, we must also define TCL_THREAD. We define it always; if Tcl is not threaded, the thread functions in @@ -409,7 +410,7 @@ static PyObject * SplitObj(PyObject *arg) { if (PyTuple_Check(arg)) {

```
   int i, size;[](#l4.24)
```

   Py_ssize_t i, size;[](#l4.25)
   PyObject *elem, *newelem, *result;[](#l4.26)

size = PyTuple_Size(arg); @@ -425,7 +426,7 @@ SplitObj(PyObject *arg) return NULL; } if (!result) {

```
           int k;[](#l4.33)
```

           Py_ssize_t k;[](#l4.34)
           if (newelem == elem) {[](#l4.35)
               Py_DECREF(newelem);[](#l4.36)
               continue;[](#l4.37)

@@ -446,7 +447,7 @@ SplitObj(PyObject arg) / Fall through, returning arg. */ } else if (PyList_Check(arg)) {

```
   int i, size;[](#l4.42)
```

   Py_ssize_t i, size;[](#l4.43)
   PyObject *elem, *newelem, *result;[](#l4.44)

size = PyList_GET_SIZE(arg); @@ -632,12 +633,12 @@ Tkapp_New(const char screenName, const / some initial arguments need to be in argv */ if (sync || use) { char *args;

```
   int len = 0;[](#l4.51)
```

```
   Py_ssize_t len = 0;[](#l4.52)
```

if (sync) len += sizeof "-sync"; if (use)

       len += strlen(use) + sizeof "-use ";[](#l4.57)

       len += strlen(use) + sizeof "-use ";  /* never overflows */[](#l4.58)

args = (char*)PyMem_Malloc(len); if (!args) { @@ -887,9 +888,14 @@ AsObj(PyObject *value) long longVal; int overflow;

if (PyBytes_Check(value))

if (PyBytes_Check(value)) {

   if (PyBytes_GET_SIZE(value) >= INT_MAX) {[](#l4.68)

       PyErr_SetString(PyExc_OverflowError, "bytes object is too long");[](#l4.69)

```
       return NULL;[](#l4.70)
```

   }[](#l4.71)
   return Tcl_NewByteArrayObj((unsigned char *)PyBytes_AS_STRING(value),[](#l4.72)

                              PyBytes_GET_SIZE(value));[](#l4.73)

                              (int)PyBytes_GET_SIZE(value));[](#l4.74)

} else if (PyBool_Check(value)) return Tcl_NewBooleanObj(PyObject_IsTrue(value)); else if (PyLong_CheckExact(value) && @@ -921,7 +927,7 @@ AsObj(PyObject *value) } for (i = 0; i < size; i++) argv[i] = AsObj(PySequence_Fast_GET_ITEM(value,i));

   result = Tcl_NewListObj(size, argv);[](#l4.83)

   result = Tcl_NewListObj((int)size, argv);[](#l4.84)
   PyMem_Free(argv);[](#l4.85)
   return result;[](#l4.86)

} @@ -946,7 +952,7 @@ AsObj(PyObject *value) } kind = PyUnicode_KIND(value); if (kind == sizeof(Tcl_UniChar))

       return Tcl_NewUnicodeObj(inbuf, size);[](#l4.92)

       return Tcl_NewUnicodeObj(inbuf, (int)size);[](#l4.93)
   allocsize = ((size_t)size) * sizeof(Tcl_UniChar);[](#l4.94)
   outbuf = (Tcl_UniChar*)PyMem_Malloc(allocsize);[](#l4.95)
   /* Else overflow occurred, and we take the next exit */[](#l4.96)

@@ -971,7 +977,7 @@ AsObj(PyObject *value) #endif outbuf[i] = ch; }

   result = Tcl_NewUnicodeObj(outbuf, size);[](#l4.101)

   result = Tcl_NewUnicodeObj(outbuf, (int)size);[](#l4.102)
   PyMem_Free(outbuf);[](#l4.103)
   return result;[](#l4.104)

} @@ -1139,10 +1145,10 @@ Tkapp_CallArgs(PyObject args, Tcl_Obj* Tcl_IncrRefCount(objv[i]); } }

*pobjc = objc;

*pobjc = (int)objc; return objv; finally:

Tkapp_CallDeallocArgs(objv, objStore, objc);

Tkapp_CallDeallocArgs(objv, objStore, (int)objc); return NULL; }

@@ -1495,7 +1501,6 @@ var_invoke(EventFunc func, PyObject *sel #ifdef WITH_THREAD TkappObject self = (TkappObject)selfptr; if (self->threaded && self->thread_id != Tcl_GetCurrentThread()) {

   TkappObject *self = (TkappObject*)selfptr;[](#l4.123)
   VarEvent *ev;[](#l4.124)
   PyObject *res, *exc_type, *exc_val;[](#l4.125)
   Tcl_Condition cond = NULL;[](#l4.126)

@@ -2721,20 +2726,20 @@ static PyType_Spec Tkapp_Type_spec = { typedef struct { PyObject* tuple;

int size; /* current size */
int maxsize; /* allocated size */

Py_ssize_t size; /* current size */
Py_ssize_t maxsize; /* allocated size */

} FlattenContext; static int -_bump(FlattenContext* context, int size) +_bump(FlattenContext* context, Py_ssize_t size) { /* expand tuple to hold (at least) size new items. return true if successful, false if an exception was raised */

int maxsize = context->maxsize * 2;

Py_ssize_t maxsize = context->maxsize * 2; /* never overflows */

if (maxsize < context->size + size)

   maxsize = context->size + size;[](#l4.148)

   maxsize = context->size + size;  /* never overflows */[](#l4.149)

context->maxsize = maxsize; @@ -2746,7 +2751,7 @@ static int { /* add tuple or list to argument tuple (recursively) */

int i, size;

Py_ssize_t i, size;

if (depth > 1000) { PyErr_SetString(PyExc_ValueError,

--- a/Objects/bytesobject.c +++ b/Objects/bytesobject.c @@ -673,7 +673,7 @@ PyObject " wants int"); goto error; }

               prec = PyLong_AsSsize_t(v);[](#l5.7)

               prec = _PyLong_AsInt(v);[](#l5.8)
               if (prec == -1 && PyErr_Occurred())[](#l5.9)
                   goto error;[](#l5.10)
               if (prec < 0)[](#l5.11)

--- a/Objects/obmalloc.c +++ b/Objects/obmalloc.c @@ -1339,7 +1339,7 @@ static void pool = (poolp)usable_arenas->pool_address; assert((block)pool <= (block*)usable_arenas->address + ARENA_SIZE - POOL_SIZE);

   pool->arenaindex = usable_arenas - arenas;[](#l6.7)

   pool->arenaindex = (uint)(usable_arenas - arenas);[](#l6.8)
   assert(&arenas[pool->arenaindex] == usable_arenas);[](#l6.9)
   pool->szidx = DUMMY_SIZE_IDX;[](#l6.10)
   usable_arenas->pool_address += POOL_SIZE;[](#l6.11)

--- a/Python/codecs.c +++ b/Python/codecs.c @@ -1006,7 +1006,7 @@ PyObject *PyCodec_NameReplaceErrors(PyOb c = PyUnicode_READ_CHAR(object, i); if (ucnhash_CAPI && ucnhash_CAPI->getname(NULL, c, buffer, sizeof(buffer), 1)) {

           replsize = 1+1+1+strlen(buffer)+1;[](#l7.7)

           replsize = 1+1+1+(int)strlen(buffer)+1;[](#l7.8)
       }[](#l7.9)
       else if (c >= 0x10000) {[](#l7.10)
           replsize = 1+1+8;[](#l7.11)

--- a/Python/marshal.c +++ b/Python/marshal.c @@ -279,7 +279,7 @@ w_ref(PyObject *v, char *flag, WFILE *p) PyErr_SetString(PyExc_ValueError, "too many objects"); goto err; }

```
   w = s;[](#l8.7)
```

   w = (int)s;[](#l8.8)
   Py_INCREF(v);[](#l8.9)
   if (_Py_HASHTABLE_SET(p->hashtable, v, w) < 0) {[](#l8.10)
       Py_DECREF(v);[](#l8.11)