pool/python
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e76bc8d64f
python/python-2.7.13-overflow_check.patch
Jan Matejek e76bc8d64f - update python-2.7.10-overflow_check.patch 
with python-2.7.13-overflow_check.patch, incorporating upstream changes

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=201
2017-01-05 11:54:43 +00:00

301 lines
10 KiB
Diff
Raw Blame History

Index: Python-2.7.13/Objects/unicodeobject.c
===================================================================
--- Python-2.7.13.orig/Objects/unicodeobject.c
+++ Python-2.7.13/Objects/unicodeobject.c
@@ -5732,20 +5732,20 @@ PyUnicode_Join(PyObject *separator, PyOb
/* Make sure we have enough space for the separator and the item. */
itemlen = PyUnicode_GET_SIZE(item);
- new_res_used = res_used + itemlen;
- if (new_res_used < 0)
+ if (res_used > PY_SSIZE_T_MAX - itemlen)
goto Overflow;
+ new_res_used = res_used + itemlen;
if (i < seqlen - 1) {
- new_res_used += seplen;
- if (new_res_used < 0)
+ if (new_res_used > PY_SSIZE_T_MAX - seplen)
goto Overflow;
+ new_res_used += seplen;
}
if (new_res_used > res_alloc) {
/* double allocated size until it's big enough */
do {
- res_alloc += res_alloc;
- if (res_alloc <= 0)
+ if (res_alloc >= PY_SSIZE_T_MAX - res_alloc)
goto Overflow;
+ res_alloc += res_alloc;
} while (new_res_used > res_alloc);
if (_PyUnicode_Resize(&res, res_alloc) < 0) {
Py_DECREF(item);
@@ -5943,7 +5943,7 @@ PyObject *replace(PyUnicodeObject *self,
} else {
Py_ssize_t n, i, j;
- Py_ssize_t product, new_size, delta;
+ Py_ssize_t new_size, delta;
Py_UNICODE *p;
/* replace strings */
@@ -5956,18 +5956,12 @@ PyObject *replace(PyUnicodeObject *self,
if (delta == 0) {
new_size = self->length;
} else {
- product = n * (str2->length - str1->length);
- if ((product / (str2->length - str1->length)) != n) {
- PyErr_SetString(PyExc_OverflowError,
- "replace string is too long");
- return NULL;
- }
- new_size = self->length + product;
- if (new_size < 0) {
+ if (str2->length - str1->length > (PY_SSIZE_T_MAX - self->length) / n) {
PyErr_SetString(PyExc_OverflowError,
"replace string is too long");
return NULL;
}
+ new_size = self->length + n * (str2->length - str1->length);
}
u = _PyUnicode_New(new_size);
if (!u)
Index: Python-2.7.13/Objects/tupleobject.c
===================================================================
--- Python-2.7.13.orig/Objects/tupleobject.c
+++ Python-2.7.13/Objects/tupleobject.c
@@ -446,9 +446,9 @@ tupleconcat(register PyTupleObject *a, r
return NULL;
}
#define b ((PyTupleObject *)bb)
- size = Py_SIZE(a) + Py_SIZE(b);
- if (size < 0)
+ if (Py_SIZE(a) > PY_SSIZE_T_MAX - Py_SIZE(b))
return PyErr_NoMemory();
+ size = Py_SIZE(a) + Py_SIZE(b);
np = (PyTupleObject *) PyTuple_New(size);
if (np == NULL) {
return NULL;
@@ -490,9 +490,9 @@ tuplerepeat(PyTupleObject *a, Py_ssize_t
if (Py_SIZE(a) == 0)
return PyTuple_New(0);
}
- size = Py_SIZE(a) * n;
- if (size/Py_SIZE(a) != n)
+ if (n > PY_SSIZE_T_MAX / Py_SIZE(a))
return PyErr_NoMemory();
+ size = Py_SIZE(a) * n;
np = (PyTupleObject *) PyTuple_New(size);
if (np == NULL)
return NULL;
diff -r 5ea0fef6ec53 Objects/bytearrayobject.c
--- a/Objects/bytearrayobject.c Wed Dec 28 15:41:09 2016 -0800
+++ b/Objects/bytearrayobject.c Thu Jan 05 14:05:29 2017 +0800
@@ -1571,31 +1571,30 @@
{
char *self_s, *result_s;
Py_ssize_t self_len, result_len;
- Py_ssize_t count, i, product;
+ Py_ssize_t count, i;
PyByteArrayObject *result;
self_len = PyByteArray_GET_SIZE(self);
- /* 1 at the end plus 1 after every character */
- count = self_len+1;
- if (maxcount < count)
+ /* 1 at the end plus 1 after every character;
+ count = min(maxcount, self_len + 1) */
+ if (maxcount <= self_len) {
count = maxcount;
+ }
+ else {
+ /* Can't overflow: self_len + 1 <= maxcount <= PY_SSIZE_T_MAX. */
+ count = self_len + 1;
+ }
/* Check for overflow */
/* result_len = count * to_len + self_len; */
- product = count * to_len;
- if (product / to_len != count) {
+ assert(count > 0);
+ if (to_len > (PY_SSIZE_T_MAX - self_len) / count) {
PyErr_SetString(PyExc_OverflowError,
- "replace string is too long");
+ "replace bytes is too long");
return NULL;
}
- result_len = product + self_len;
- if (result_len < 0) {
- PyErr_SetString(PyExc_OverflowError,
- "replace string is too long");
- return NULL;
- }
-
+ result_len = count * to_len + self_len;
if (! (result = (PyByteArrayObject *)
PyByteArray_FromStringAndSize(NULL, result_len)) )
return NULL;
@@ -1824,7 +1823,7 @@
char *self_s, *result_s;
char *start, *next, *end;
Py_ssize_t self_len, result_len;
- Py_ssize_t count, product;
+ Py_ssize_t count;
PyByteArrayObject *result;
self_s = PyByteArray_AS_STRING(self);
@@ -1838,16 +1837,12 @@
/* use the difference between current and new, hence the "-1" */
/* result_len = self_len + count * (to_len-1) */
- product = count * (to_len-1);
- if (product / (to_len-1) != count) {
+ assert(count > 0);
+ if (to_len - 1 > (PY_SSIZE_T_MAX - self_len) / count) {
PyErr_SetString(PyExc_OverflowError, "replace bytes is too long");
return NULL;
}
- result_len = self_len + product;
- if (result_len < 0) {
- PyErr_SetString(PyExc_OverflowError, "replace bytes is too long");
- return NULL;
- }
+ result_len = self_len + count * (to_len - 1);
if ( (result = (PyByteArrayObject *)
PyByteArray_FromStringAndSize(NULL, result_len)) == NULL)
@@ -1891,7 +1886,7 @@
char *self_s, *result_s;
char *start, *next, *end;
Py_ssize_t self_len, result_len;
- Py_ssize_t count, offset, product;
+ Py_ssize_t count, offset;
PyByteArrayObject *result;
self_s = PyByteArray_AS_STRING(self);
@@ -1908,16 +1903,12 @@
/* Check for overflow */
/* result_len = self_len + count * (to_len-from_len) */
- product = count * (to_len-from_len);
- if (product / (to_len-from_len) != count) {
+ assert(count > 0);
+ if (to_len - from_len > (PY_SSIZE_T_MAX - self_len) / count) {
PyErr_SetString(PyExc_OverflowError, "replace bytes is too long");
return NULL;
}
- result_len = self_len + product;
- if (result_len < 0) {
- PyErr_SetString(PyExc_OverflowError, "replace bytes is too long");
- return NULL;
- }
+ result_len = self_len + count * (to_len - from_len);
if ( (result = (PyByteArrayObject *)
PyByteArray_FromStringAndSize(NULL, result_len)) == NULL)
diff -r 5ea0fef6ec53 Objects/stringobject.c
--- a/Objects/stringobject.c Wed Dec 28 15:41:09 2016 -0800
+++ b/Objects/stringobject.c Thu Jan 05 14:05:29 2017 +0800
@@ -2358,31 +2358,30 @@
{
char *self_s, *result_s;
Py_ssize_t self_len, result_len;
- Py_ssize_t count, i, product;
+ Py_ssize_t count, i;
PyStringObject *result;
self_len = PyString_GET_SIZE(self);
- /* 1 at the end plus 1 after every character */
- count = self_len+1;
- if (maxcount < count)
+ /* 1 at the end plus 1 after every character;
+ count = min(maxcount, self_len + 1) */
+ if (maxcount <= self_len) {
count = maxcount;
+ }
+ else {
+ /* Can't overflow: self_len + 1 <= maxcount <= PY_SSIZE_T_MAX. */
+ count = self_len + 1;
+ }
/* Check for overflow */
/* result_len = count * to_len + self_len; */
- product = count * to_len;
- if (product / to_len != count) {
+ assert(count > 0);
+ if (to_len > (PY_SSIZE_T_MAX - self_len) / count) {
PyErr_SetString(PyExc_OverflowError,
"replace string is too long");
return NULL;
}
- result_len = product + self_len;
- if (result_len < 0) {
- PyErr_SetString(PyExc_OverflowError,
- "replace string is too long");
- return NULL;
- }
-
+ result_len = count * to_len + self_len;
if (! (result = (PyStringObject *)
PyString_FromStringAndSize(NULL, result_len)) )
return NULL;
@@ -2610,7 +2609,7 @@
char *self_s, *result_s;
char *start, *next, *end;
Py_ssize_t self_len, result_len;
- Py_ssize_t count, product;
+ Py_ssize_t count;
PyStringObject *result;
self_s = PyString_AS_STRING(self);
@@ -2624,16 +2623,12 @@
/* use the difference between current and new, hence the "-1" */
/* result_len = self_len + count * (to_len-1) */
- product = count * (to_len-1);
- if (product / (to_len-1) != count) {
+ assert(count > 0);
+ if (to_len - 1 > (PY_SSIZE_T_MAX - self_len) / count) {
PyErr_SetString(PyExc_OverflowError, "replace string is too long");
return NULL;
}
- result_len = self_len + product;
- if (result_len < 0) {
- PyErr_SetString(PyExc_OverflowError, "replace string is too long");
- return NULL;
- }
+ result_len = self_len + count * (to_len - 1);
if ( (result = (PyStringObject *)
PyString_FromStringAndSize(NULL, result_len)) == NULL)
@@ -2676,7 +2671,7 @@
char *self_s, *result_s;
char *start, *next, *end;
Py_ssize_t self_len, result_len;
- Py_ssize_t count, offset, product;
+ Py_ssize_t count, offset;
PyStringObject *result;
self_s = PyString_AS_STRING(self);
@@ -2693,16 +2688,12 @@
/* Check for overflow */
/* result_len = self_len + count * (to_len-from_len) */
- product = count * (to_len-from_len);
- if (product / (to_len-from_len) != count) {
+ assert(count > 0);
+ if (to_len - from_len > (PY_SSIZE_T_MAX - self_len) / count) {
PyErr_SetString(PyExc_OverflowError, "replace string is too long");
return NULL;
}
- result_len = self_len + product;
- if (result_len < 0) {
- PyErr_SetString(PyExc_OverflowError, "replace string is too long");
- return NULL;
- }
+ result_len = self_len + count * (to_len - from_len);
if ( (result = (PyStringObject *)
PyString_FromStringAndSize(NULL, result_len)) == NULL)
Reference in New Issue View Git Blame Copy Permalink