Commit 99e2e555 authored by Mark Dickinson's avatar Mark Dickinson

Issue #14700: Fix two broken and undefined-behaviour-inducing overflow checks...

Issue #14700: Fix two broken and undefined-behaviour-inducing overflow checks in old-style string formatting.  Thanks Serhiy Storchaka for report and original patch.
parent 10ba07a3
...@@ -1197,6 +1197,10 @@ class MixinStrUnicodeUserStringTest: ...@@ -1197,6 +1197,10 @@ class MixinStrUnicodeUserStringTest:
self.checkraises(TypeError, '%10.*f', '__mod__', ('foo', 42.)) self.checkraises(TypeError, '%10.*f', '__mod__', ('foo', 42.))
self.checkraises(ValueError, '%10', '__mod__', (42,)) self.checkraises(ValueError, '%10', '__mod__', (42,))
# Outrageously large width or precision should raise ValueError.
self.checkraises(ValueError, '%%%df' % (2**64), '__mod__', (3.2))
self.checkraises(ValueError, '%%.%df' % (2**64), '__mod__', (3.2))
def test_floatformatting(self): def test_floatformatting(self):
# float formatting # float formatting
for prec in range(100): for prec in range(100):
......
...@@ -10,6 +10,9 @@ What's New in Python 3.3.0 Alpha 4? ...@@ -10,6 +10,9 @@ What's New in Python 3.3.0 Alpha 4?
Core and Builtins Core and Builtins
----------------- -----------------
- Issue #14700: Fix two broken and undefined-behaviour-inducing overflow checks
in old-style string formatting.
- Issue #14705: The PyArg_Parse() family of functions now support the 'p' format - Issue #14705: The PyArg_Parse() family of functions now support the 'p' format
unit, which accepts a "boolean predicate" argument. It converts any Python unit, which accepts a "boolean predicate" argument. It converts any Python
value into an integer--0 if it is "false", and 1 otherwise. value into an integer--0 if it is "false", and 1 otherwise.
......
...@@ -13933,7 +13933,7 @@ PyUnicode_Format(PyObject *format, PyObject *args) ...@@ -13933,7 +13933,7 @@ PyUnicode_Format(PyObject *format, PyObject *args)
c = PyUnicode_READ(fmtkind, fmt, fmtpos++); c = PyUnicode_READ(fmtkind, fmt, fmtpos++);
if (c < '0' || c > '9') if (c < '0' || c > '9')
break; break;
if ((width*10) / 10 != width) { if (width > (PY_SSIZE_T_MAX - (c - '0')) / 10) {
PyErr_SetString(PyExc_ValueError, PyErr_SetString(PyExc_ValueError,
"width too big"); "width too big");
goto onError; goto onError;
...@@ -13968,7 +13968,7 @@ PyUnicode_Format(PyObject *format, PyObject *args) ...@@ -13968,7 +13968,7 @@ PyUnicode_Format(PyObject *format, PyObject *args)
c = PyUnicode_READ(fmtkind, fmt, fmtpos++); c = PyUnicode_READ(fmtkind, fmt, fmtpos++);
if (c < '0' || c > '9') if (c < '0' || c > '9')
break; break;
if ((prec*10) / 10 != prec) { if (prec > (INT_MAX - (c - '0')) / 10) {
PyErr_SetString(PyExc_ValueError, PyErr_SetString(PyExc_ValueError,
"prec too big"); "prec too big");
goto onError; goto onError;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment