Fix the overflows in expandtabs(). "This time for sure!"

(Exploit at request.)

Fix the overflows in expandtabs(). "This time for sure!"
(Exploit at request.)
44a93e54 · Guido van Rossum · 8e741e00 · 44a93e54 · 44a93e54
Commit 44a93e54 authored Mar 11, 2008 by Guido van Rossum
Hide whitespace changes
Inline Side-by-side

Showing with 65 additions and 50 deletions

Objects/stringobject.c Objects/stringobject.c +32 -25

Objects/unicodeobject.c Objects/unicodeobject.c +33 -25

No files found.
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -3299,9 +3299,9 @@ If tabsize is not given, a tab size of 8 characters is assumed.");
 static PyObject*
 string_expandtabs(PyStringObject *self, PyObject *args)
 {
-    const char *e, *p;
+    const char *e, *p, *qe;
    char *q;
-    Py_ssize_t i, j, old_j;
+    Py_ssize_t i, j, incr;
    PyObject *u;
    int tabsize = 8;
@@ -3309,63 +3309,70 @@ string_expandtabs(PyStringObject *self, PyObject *args)
 	return NULL;
    /* First pass: determine size of output string */
-    i = j = old_j = 0;
+    i = 0; /* chars up to and including most recent \n or \r */
-    e = PyString_AS_STRING(self) + PyString_GET_SIZE(self);
+    j = 0; /* chars since most recent \n or \r (use in tab calculations) */
+    e = PyString_AS_STRING(self) + PyString_GET_SIZE(self); /* end of input */
    for (p = PyString_AS_STRING(self); p < e; p++)
        if (*p == '\t') {
 	    if (tabsize > 0) {
-		j += tabsize - (j % tabsize);
+		incr = tabsize - (j % tabsize);
-		if (old_j > j) {
+		if (j > PY_SSIZE_T_MAX - incr)
-		    PyErr_SetString(PyExc_OverflowError,
+		    goto overflow1;
-				    "new string is too long");
+		j += incr;
-		    return NULL;
-		}
-		old_j = j;
            }
 	}
        else {
+	    if (j > PY_SSIZE_T_MAX - 1)
+		goto overflow1;
            j++;
            if (*p == '\n' || *p == '\r') {
+		if (i > PY_SSIZE_T_MAX - j)
+		    goto overflow1;
                i += j;
-                old_j = j = 0;
+                j = 0;
-                if (i < 0) {
-                    PyErr_SetString(PyExc_OverflowError,
-                                    "new string is too long");
-                    return NULL;
-                }
            }
        }
-    if ((i + j) < 0) {
+    if (i > PY_SSIZE_T_MAX - j)
-        PyErr_SetString(PyExc_OverflowError, "new string is too long");
+	goto overflow1;
-        return NULL;
-    }
    /* Second pass: create output string and fill it */
    u = PyString_FromStringAndSize(NULL, i + j);
    if (!u)
        return NULL;
-    j = 0;
+    j = 0; /* same as in first pass */
-    q = PyString_AS_STRING(u);
+    q = PyString_AS_STRING(u); /* next output char */
+    qe = PyString_AS_STRING(u) + PyString_GET_SIZE(u); /* end of output */
    for (p = PyString_AS_STRING(self); p < e; p++)
        if (*p == '\t') {
 	    if (tabsize > 0) {
 		i = tabsize - (j % tabsize);
 		j += i;
-		while (i--)
+		while (i--) {
+		    if (q >= qe)
+			goto overflow2;
 		    *q++ = ' ';
+		}
 	    }
 	}
 	else {
-            j++;
+	    if (q >= qe)
+		goto overflow2;
 	    *q++ = *p;
+            j++;
            if (*p == '\n' || *p == '\r')
                j = 0;
        }
    return u;
+  overflow2:
+    Py_DECREF(u);
+  overflow1:
+    PyErr_SetString(PyExc_OverflowError, "new string is too long");
+    return NULL;
 }
 Py_LOCAL_INLINE(PyObject *)

--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -5689,7 +5689,8 @@ unicode_expandtabs(PyUnicodeObject *self, PyObject *args)
    Py_UNICODE *e;
    Py_UNICODE *p;
    Py_UNICODE *q;
-    Py_ssize_t i, j, old_j;
+    Py_UNICODE *qe;
+    Py_ssize_t i, j, incr;
    PyUnicodeObject *u;
    int tabsize = 8;
@@ -5697,63 +5698,70 @@ unicode_expandtabs(PyUnicodeObject *self, PyObject *args)
 	return NULL;
    /* First pass: determine size of output string */
-    i = j = old_j = 0;
+    i = 0; /* chars up to and including most recent \n or \r */
-    e = self->str + self->length;
+    j = 0; /* chars since most recent \n or \r (use in tab calculations) */
+    e = self->str + self->length; /* end of input */
    for (p = self->str; p < e; p++)
        if (*p == '\t') {
 	    if (tabsize > 0) {
-		j += tabsize - (j % tabsize);
+		incr = tabsize - (j % tabsize); /* cannot overflow */
-		if (old_j > j) {
+		if (j > PY_SSIZE_T_MAX - incr)
-		    PyErr_SetString(PyExc_OverflowError,
+		    goto overflow1;
-				    "new string is too long");
+		j += incr;
-		    return NULL;
+            }
-		}
-		old_j = j;
-	    }
 	}
        else {
+	    if (j > PY_SSIZE_T_MAX - 1)
+		goto overflow1;
            j++;
            if (*p == '\n' || *p == '\r') {
+		if (i > PY_SSIZE_T_MAX - j)
+		    goto overflow1;
                i += j;
-                old_j = j = 0;
+                j = 0;
-                if (i < 0) {
-                    PyErr_SetString(PyExc_OverflowError,
-                                    "new string is too long");
-                    return NULL;
-                }
            }
        }
-    if ((i + j) < 0) {
+    if (i > PY_SSIZE_T_MAX - j)
-        PyErr_SetString(PyExc_OverflowError, "new string is too long");
+	goto overflow1;
-        return NULL;
-    }
    /* Second pass: create output string and fill it */
    u = _PyUnicode_New(i + j);
    if (!u)
        return NULL;
-    j = 0;
+    j = 0; /* same as in first pass */
-    q = u->str;
+    q = u->str; /* next output char */
+    qe = u->str + u->length; /* end of output */
    for (p = self->str; p < e; p++)
        if (*p == '\t') {
 	    if (tabsize > 0) {
 		i = tabsize - (j % tabsize);
 		j += i;
-		while (i--)
+		while (i--) {
+		    if (q >= qe)
+			goto overflow2;
 		    *q++ = ' ';
+                }
 	    }
 	}
 	else {
-            j++;
+	    if (q >= qe)
+		goto overflow2;
 	    *q++ = *p;
+            j++;
            if (*p == '\n' || *p == '\r')
                j = 0;
        }
    return (PyObject*) u;
+  overflow2:
+    Py_DECREF(u);
+  overflow1:
+    PyErr_SetString(PyExc_OverflowError, "new string is too long");
+    return NULL;
 }
 PyDoc_STRVAR(find__doc__,