[Python-checkins] cpython (3.3): Issue #19969: PyBytes_FromFormatV() now raises an OverflowError if "%c"

Fri Dec 13 12:47:52 CET 2013

http://hg.python.org/cpython/rev/68e0dbc492de
changeset:   87932:68e0dbc492de
branch:      3.3
parent:      87928:08c95dd68cfc
user:        Victor Stinner <victor.stinner at gmail.com>
date:        Fri Dec 13 12:14:44 2013 +0100
summary:
  Issue #19969: PyBytes_FromFormatV() now raises an OverflowError if "%c"
argument is not in range [0; 255].

files:
  Lib/test/test_bytes.py |   6 ++++++
  Misc/NEWS              |   3 +++
  Objects/bytesobject.c  |  19 ++++++++++++++++---
  3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py
--- a/Lib/test/test_bytes.py
+++ b/Lib/test/test_bytes.py
@@ -729,6 +729,12 @@
         self.assertEqual(PyBytes_FromFormat(b's:%s', c_char_p(b'cstr')),
                          b's:cstr')
 
+        # Issue #19969
+        self.assertRaises(OverflowError,
+                          PyBytes_FromFormat, b'%c', c_int(-1))
+        self.assertRaises(OverflowError,
+                          PyBytes_FromFormat, b'%c', c_int(256))
+
 
 class ByteArrayTest(BaseBytesTest, unittest.TestCase):
     type2test = bytearray
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@
 Core and Builtins
 -----------------
 
+- Issue #19969: PyBytes_FromFormatV() now raises an OverflowError if "%c"
+  argument is not in range [0; 255].
+
 - Issue #14432: Generator now clears the borrowed reference to the thread
   state. Fix a crash when a generator is created in a C thread that is
   destroyed while the generator is still used. The issue was that a generator
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -186,8 +186,17 @@
 
             switch (*f) {
             case 'c':
-                (void)va_arg(count, int);
-                /* fall through... */
+            {
+                int c = va_arg(count, int);
+                if (c < 0 || c > 255) {
+                    PyErr_SetString(PyExc_OverflowError,
+                                    "PyBytes_FromFormatV(): %c format "
+                                    "expects an integer in range [0; 255]");
+                    return NULL;
+                }
+                n++;
+                break;
+            }
             case '%':
                 n++;
                 break;
@@ -267,8 +276,12 @@
 
             switch (*f) {
             case 'c':
-                *s++ = va_arg(vargs, int);
+            {
+                int c = va_arg(vargs, int);
+                /* c has been checked for overflow in the first step */
+                *s++ = (unsigned char)c;
                 break;
+            }
             case 'd':
                 if (longflag)
                     sprintf(s, "%ld", va_arg(vargs, long));

-- 
Repository URL: http://hg.python.org/cpython
