Issue #27473: Fixed possible integer overflow in bytes and bytearray

concatenations. Patch by Xiang Zhang.

Issue #27473: Fixed possible integer overflow in bytes and bytearray
concatenations. Patch by Xiang Zhang.
ca0da9b0 · Serhiy Storchaka · ce85acff · 06cfb0cd · ca0da9b0 · ca0da9b0
Commit ca0da9b0 authored Jul 10, 2016 by Serhiy Storchaka
Show whitespace changes
Inline Side-by-side

Showing with 14 additions and 16 deletions

Misc/NEWS Misc/NEWS +3 -0

Objects/bytearrayobject.c Objects/bytearrayobject.c +9 -12

Objects/bytesobject.c Objects/bytesobject.c +2 -4

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.6.0 alpha 3
 Core and Builtins
 -----------------
+- Issue #27473: Fixed possible integer overflow in bytes and bytearray
+  concatenations.  Patch by Xiang Zhang.
 - Issue #23034: The output of a special Python build with defined COUNT_ALLOCS,
  SHOW_ALLOC_COUNT or SHOW_TRACK_COUNT macros is now off by  default.  It can
  be re-enabled using the "-X showalloccount" option.  It now outputs to stderr

--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -246,7 +246,6 @@ PyByteArray_Resize(PyObject *self, Py_ssize_t requested_size)
 PyObject *
 PyByteArray_Concat(PyObject *a, PyObject *b)
 {
-    Py_ssize_t size;
    Py_buffer va, vb;
    PyByteArrayObject *result = NULL;
@@ -259,13 +258,13 @@ PyByteArray_Concat(PyObject *a, PyObject *b)
            goto done;
    }
-    size = va.len + vb.len;
+    if (va.len > PY_SSIZE_T_MAX - vb.len) {
-    if (size < 0) {
        PyErr_NoMemory();
        goto done;
    }
-    result = (PyByteArrayObject *) PyByteArray_FromStringAndSize(NULL, size);
+    result = (PyByteArrayObject *) \
+        PyByteArray_FromStringAndSize(NULL, va.len + vb.len);
    if (result != NULL) {
        memcpy(result->ob_bytes, va.buf, va.len);
        memcpy(result->ob_bytes + va.len, vb.buf, vb.len);
@@ -290,7 +289,6 @@ bytearray_length(PyByteArrayObject *self)
 static PyObject *
 bytearray_iconcat(PyByteArrayObject *self, PyObject *other)
 {
-    Py_ssize_t mysize;
    Py_ssize_t size;
    Py_buffer vo;
@@ -300,17 +298,16 @@ bytearray_iconcat(PyByteArrayObject *self, PyObject *other)
        return NULL;
    }
-    mysize = Py_SIZE(self);
+    size = Py_SIZE(self);
-    size = mysize + vo.len;
+    if (size > PY_SSIZE_T_MAX - vo.len) {
-    if (size < 0) {
        PyBuffer_Release(&vo);
        return PyErr_NoMemory();
    }
-    if (PyByteArray_Resize((PyObject *)self, size) < 0) {
+    if (PyByteArray_Resize((PyObject *)self, size + vo.len) < 0) {
        PyBuffer_Release(&vo);
        return NULL;
    }
-    memcpy(PyByteArray_AS_STRING(self) + mysize, vo.buf, vo.len);
+    memcpy(PyByteArray_AS_STRING(self) + size, vo.buf, vo.len);
    PyBuffer_Release(&vo);
    Py_INCREF(self);
    return (PyObject *)self;

--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -1388,7 +1388,6 @@ bytes_length(PyBytesObject *a)
 static PyObject *
 bytes_concat(PyObject *a, PyObject *b)
 {
-    Py_ssize_t size;
    Py_buffer va, vb;
    PyObject *result = NULL;
@@ -1413,13 +1412,12 @@ bytes_concat(PyObject *a, PyObject *b)
        goto done;
    }
-    size = va.len + vb.len;
+    if (va.len > PY_SSIZE_T_MAX - vb.len) {
-    if (size < 0) {
        PyErr_NoMemory();
        goto done;
    }
-    result = PyBytes_FromStringAndSize(NULL, size);
+    result = PyBytes_FromStringAndSize(NULL, va.len + vb.len);
    if (result != NULL) {
        memcpy(PyBytes_AS_STRING(result), va.buf, va.len);
        memcpy(PyBytes_AS_STRING(result) + va.len, vb.buf, vb.len);