[Python-checkins] cpython (3.5): Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is

Fri Sep 4 00:09:47 CEST 2015

https://hg.python.org/cpython/rev/a5858c30db7c
changeset:   97636:a5858c30db7c
branch:      3.5
parent:      97634:c9dbfd8edcaa
user:        Serhiy Storchaka <storchaka at gmail.com>
date:        Fri Sep 04 01:08:03 2015 +0300
summary:
  Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is
set beyond size.  Based on patch by John Leitch.

files:
  Lib/test/test_memoryio.py |  13 +++++++++++++
  Misc/NEWS                 |   3 +++
  Modules/_io/bytesio.c     |   6 +++++-
  3 files changed, 21 insertions(+), 1 deletions(-)

diff --git a/Lib/test/test_memoryio.py b/Lib/test/test_memoryio.py
--- a/Lib/test/test_memoryio.py
+++ b/Lib/test/test_memoryio.py
@@ -166,6 +166,10 @@
         memio.seek(0)
         self.assertEqual(memio.read(None), buf)
         self.assertRaises(TypeError, memio.read, '')
+        memio.seek(len(buf) + 1)
+        self.assertEqual(memio.read(1), self.EOF)
+        memio.seek(len(buf) + 1)
+        self.assertEqual(memio.read(), self.EOF)
         memio.close()
         self.assertRaises(ValueError, memio.read)
 
@@ -185,6 +189,9 @@
         self.assertEqual(memio.readline(-1), buf)
         memio.seek(0)
         self.assertEqual(memio.readline(0), self.EOF)
+        # Issue #24989: Buffer overread
+        memio.seek(len(buf) * 2 + 1)
+        self.assertEqual(memio.readline(), self.EOF)
 
         buf = self.buftype("1234567890\n")
         memio = self.ioclass((buf * 3)[:-1])
@@ -217,6 +224,9 @@
         memio.seek(0)
         self.assertEqual(memio.readlines(None), [buf] * 10)
         self.assertRaises(TypeError, memio.readlines, '')
+        # Issue #24989: Buffer overread
+        memio.seek(len(buf) * 10 + 1)
+        self.assertEqual(memio.readlines(), [])
         memio.close()
         self.assertRaises(ValueError, memio.readlines)
 
@@ -238,6 +248,9 @@
             self.assertEqual(line, buf)
             i += 1
         self.assertEqual(i, 10)
+        # Issue #24989: Buffer overread
+        memio.seek(len(buf) * 10 + 1)
+        self.assertEqual(list(memio), [])
         memio = self.ioclass(buf * 2)
         memio.close()
         self.assertRaises(ValueError, memio.__next__)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -92,6 +92,9 @@
 Library
 -------
 
+- Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is
+  set beyond size.  Based on patch by John Leitch.
+
 - Issue #24847: Removes vcruntime140.dll dependency from Tcl/Tk.
 
 - Issue #24839: platform._syscmd_ver raises DeprecationWarning
diff --git a/Modules/_io/bytesio.c b/Modules/_io/bytesio.c
--- a/Modules/_io/bytesio.c
+++ b/Modules/_io/bytesio.c
@@ -57,14 +57,18 @@
     Py_ssize_t maxlen;
 
     assert(self->buf != NULL);
+    assert(self->pos >= 0);
+
+    if (self->pos >= self->string_size)
+        return 0;
 
     /* Move to the end of the line, up to the end of the string, s. */
-    start = PyBytes_AS_STRING(self->buf) + self->pos;
     maxlen = self->string_size - self->pos;
     if (len < 0 || len > maxlen)
         len = maxlen;
 
     if (len) {
+        start = PyBytes_AS_STRING(self->buf) + self->pos;
         n = memchr(start, '\n', len);
         if (n)
             /* Get the length from the current position to the end of

-- 
Repository URL: https://hg.python.org/cpython
