[Python-checkins] r55840 - in python/branches/release25-maint: Lib/test/test_str.py Lib/test/test_unicode.py Misc/NEWS Objects/stringobject.c Objects/unicodeobject.c

neal.norwitz python-checkins at python.org
Sat Jun 9 06:06:37 CEST 2007 

Author: neal.norwitz
Date: Sat Jun  9 06:06:30 2007
New Revision: 55840

Modified:
   python/branches/release25-maint/Lib/test/test_str.py
   python/branches/release25-maint/Lib/test/test_unicode.py
   python/branches/release25-maint/Misc/NEWS
   python/branches/release25-maint/Objects/stringobject.c
   python/branches/release25-maint/Objects/unicodeobject.c
Log:
Prevent expandtabs() on string and unicode objects from causing a segfault when
a large width is passed on 32-bit platforms.  Found by Google.

It would be good for people to review this especially carefully and verify
I don't have an off by one error and there is no other way to cause overflow.



Modified: python/branches/release25-maint/Lib/test/test_str.py
==============================================================================
--- python/branches/release25-maint/Lib/test/test_str.py	(original)
+++ python/branches/release25-maint/Lib/test/test_str.py	Sat Jun  9 06:06:30 2007
@@ -1,4 +1,6 @@
+
 import unittest
+import sys
 from test import test_support, string_tests
 
 
@@ -82,6 +84,15 @@
         self.assertEqual(str(Foo9("foo")), "string")
         self.assertEqual(unicode(Foo9("foo")), u"not unicode")
 
+    def test_expandtabs_overflows_gracefully(self):
+        # This test only affects 32-bit platforms because expandtabs can only take
+        # an int as the max value, not a 64-bit C long.  If expandtabs is changed
+        # to take a 64-bit long, this test should apply to all platforms.
+        if sys.maxint > (1 << 32):
+            return
+        self.assertRaises(OverflowError, 't\tt\t'.expandtabs, sys.maxint)
+
+
 def test_main():
     test_support.run_unittest(StrTest)
 

Modified: python/branches/release25-maint/Lib/test/test_unicode.py
==============================================================================
--- python/branches/release25-maint/Lib/test/test_unicode.py	(original)
+++ python/branches/release25-maint/Lib/test/test_unicode.py	Sat Jun  9 06:06:30 2007
@@ -817,8 +817,13 @@
         self.assertEqual(repr(s1()), '\\n')
         self.assertEqual(repr(s2()), '\\n')
 
-
-
+    def test_expandtabs_overflows_gracefully(self):
+        # This test only affects 32-bit platforms because expandtabs can only take
+        # an int as the max value, not a 64-bit C long.  If expandtabs is changed
+        # to take a 64-bit long, this test should apply to all platforms.
+        if sys.maxint > (1 << 32):
+            return
+        self.assertRaises(OverflowError, u't\tt\t'.expandtabs, sys.maxint)
 
 
 def test_main():

Modified: python/branches/release25-maint/Misc/NEWS
==============================================================================
--- python/branches/release25-maint/Misc/NEWS	(original)
+++ python/branches/release25-maint/Misc/NEWS	Sat Jun  9 06:06:30 2007
@@ -12,6 +12,9 @@
 Core and builtins
 -----------------
 
+- Prevent expandtabs() on string and unicode objects from causing a segfault when
+  a large width is passed on 32-bit platforms.
+
 - Bug #1733488: Fix compilation of bufferobject.c on AIX.
 
 

Modified: python/branches/release25-maint/Objects/stringobject.c
==============================================================================
--- python/branches/release25-maint/Objects/stringobject.c	(original)
+++ python/branches/release25-maint/Objects/stringobject.c	Sat Jun  9 06:06:30 2007
@@ -3298,7 +3298,7 @@
 {
     const char *e, *p;
     char *q;
-    Py_ssize_t i, j;
+    Py_ssize_t i, j, old_j;
     PyObject *u;
     int tabsize = 8;
 
@@ -3306,12 +3306,18 @@
 	return NULL;
 
     /* First pass: determine size of output string */
-    i = j = 0;
+    i = j = old_j = 0;
     e = PyString_AS_STRING(self) + PyString_GET_SIZE(self);
     for (p = PyString_AS_STRING(self); p < e; p++)
         if (*p == '\t') {
-	    if (tabsize > 0)
+	    if (tabsize > 0) {
 		j += tabsize - (j % tabsize);
+		if (old_j > j) {
+		    PyErr_SetString(PyExc_OverflowError, "new string is too long");
+		    return NULL;
+		}
+		old_j = j;
+            }
 	}
         else {
             j++;
@@ -3321,6 +3327,11 @@
             }
         }
 
+    if ((i + j) < 0) {
+        PyErr_SetString(PyExc_OverflowError, "new string is too long");
+        return NULL;
+    }
+
     /* Second pass: create output string and fill it */
     u = PyString_FromStringAndSize(NULL, i + j);
     if (!u)

Modified: python/branches/release25-maint/Objects/unicodeobject.c
==============================================================================
--- python/branches/release25-maint/Objects/unicodeobject.c	(original)
+++ python/branches/release25-maint/Objects/unicodeobject.c	Sat Jun  9 06:06:30 2007
@@ -5686,7 +5686,7 @@
     Py_UNICODE *e;
     Py_UNICODE *p;
     Py_UNICODE *q;
-    Py_ssize_t i, j;
+    Py_ssize_t i, j, old_j;
     PyUnicodeObject *u;
     int tabsize = 8;
 
@@ -5694,12 +5694,18 @@
 	return NULL;
 
     /* First pass: determine size of output string */
-    i = j = 0;
+    i = j = old_j = 0;
     e = self->str + self->length;
     for (p = self->str; p < e; p++)
         if (*p == '\t') {
-	    if (tabsize > 0)
+	    if (tabsize > 0) {
 		j += tabsize - (j % tabsize);
+		if (old_j > j) {
+		    PyErr_SetString(PyExc_OverflowError, "new string is too long");
+		    return NULL;
+		}
+		old_j = j;
+	    }
 	}
         else {
             j++;
@@ -5709,6 +5715,11 @@
             }
         }
 
+    if ((i + j) < 0) {
+        PyErr_SetString(PyExc_OverflowError, "new string is too long");
+        return NULL;
+    }
+
     /* Second pass: create output string and fill it */
     u = _PyUnicode_New(i + j);
     if (!u)

More information about the Python-checkins mailing list