Commit c9362cf8 authored by Victor Stinner's avatar Victor Stinner

Issue #19969: PyBytes_FromFormatV() now raises an OverflowError if "%c"

argument is not in range [0; 255].
parent 3ad2d709
...@@ -729,6 +729,12 @@ class BytesTest(BaseBytesTest, unittest.TestCase): ...@@ -729,6 +729,12 @@ class BytesTest(BaseBytesTest, unittest.TestCase):
self.assertEqual(PyBytes_FromFormat(b's:%s', c_char_p(b'cstr')), self.assertEqual(PyBytes_FromFormat(b's:%s', c_char_p(b'cstr')),
b's:cstr') b's:cstr')
# Issue #19969
self.assertRaises(OverflowError,
PyBytes_FromFormat, b'%c', c_int(-1))
self.assertRaises(OverflowError,
PyBytes_FromFormat, b'%c', c_int(256))
class ByteArrayTest(BaseBytesTest, unittest.TestCase): class ByteArrayTest(BaseBytesTest, unittest.TestCase):
type2test = bytearray type2test = bytearray
......
...@@ -10,6 +10,9 @@ What's New in Python 3.3.4 release candidate 1? ...@@ -10,6 +10,9 @@ What's New in Python 3.3.4 release candidate 1?
Core and Builtins Core and Builtins
----------------- -----------------
- Issue #19969: PyBytes_FromFormatV() now raises an OverflowError if "%c"
argument is not in range [0; 255].
- Issue #14432: Generator now clears the borrowed reference to the thread - Issue #14432: Generator now clears the borrowed reference to the thread
state. Fix a crash when a generator is created in a C thread that is state. Fix a crash when a generator is created in a C thread that is
destroyed while the generator is still used. The issue was that a generator destroyed while the generator is still used. The issue was that a generator
......
...@@ -186,8 +186,17 @@ PyBytes_FromFormatV(const char *format, va_list vargs) ...@@ -186,8 +186,17 @@ PyBytes_FromFormatV(const char *format, va_list vargs)
switch (*f) { switch (*f) {
case 'c': case 'c':
(void)va_arg(count, int); {
/* fall through... */ int c = va_arg(count, int);
if (c < 0 || c > 255) {
PyErr_SetString(PyExc_OverflowError,
"PyBytes_FromFormatV(): %c format "
"expects an integer in range [0; 255]");
return NULL;
}
n++;
break;
}
case '%': case '%':
n++; n++;
break; break;
...@@ -267,8 +276,12 @@ PyBytes_FromFormatV(const char *format, va_list vargs) ...@@ -267,8 +276,12 @@ PyBytes_FromFormatV(const char *format, va_list vargs)
switch (*f) { switch (*f) {
case 'c': case 'c':
*s++ = va_arg(vargs, int); {
int c = va_arg(vargs, int);
/* c has been checked for overflow in the first step */
*s++ = (unsigned char)c;
break; break;
}
case 'd': case 'd':
if (longflag) if (longflag)
sprintf(s, "%ld", va_arg(vargs, long)); sprintf(s, "%ld", va_arg(vargs, long));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment