Commit ec31075c authored by Benjamin Peterson's avatar Benjamin Peterson

merge 3.3 (closes #27760)

parents dfc0ac16 d4250a42
...@@ -16,6 +16,8 @@ Library ...@@ -16,6 +16,8 @@ Library
- In the curses module, raise an error if window.getstr() is passed a negative - In the curses module, raise an error if window.getstr() is passed a negative
value. value.
- Issue #27760: Fix possible integer overflow in binascii.b2a_qp.
- Issue #27758: Fix possible integer overflow in the _csv module for large record - Issue #27758: Fix possible integer overflow in the _csv module for large record
lengths. lengths.
......
...@@ -1408,6 +1408,7 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is ...@@ -1408,6 +1408,7 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is
/* First, scan to see how many characters need to be encoded */ /* First, scan to see how many characters need to be encoded */
in = 0; in = 0;
while (in < datalen) { while (in < datalen) {
Py_ssize_t delta = 0;
if ((databuf[in] > 126) || if ((databuf[in] > 126) ||
(databuf[in] == '=') || (databuf[in] == '=') ||
(header && databuf[in] == '_') || (header && databuf[in] == '_') ||
...@@ -1422,12 +1423,12 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is ...@@ -1422,12 +1423,12 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is
if ((linelen + 3) >= MAXLINESIZE) { if ((linelen + 3) >= MAXLINESIZE) {
linelen = 0; linelen = 0;
if (crlf) if (crlf)
odatalen += 3; delta += 3;
else else
odatalen += 2; delta += 2;
} }
linelen += 3; linelen += 3;
odatalen += 3; delta += 3;
in++; in++;
} }
else { else {
...@@ -1439,11 +1440,11 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is ...@@ -1439,11 +1440,11 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is
linelen = 0; linelen = 0;
/* Protect against whitespace on end of line */ /* Protect against whitespace on end of line */
if (in && ((databuf[in-1] == ' ') || (databuf[in-1] == '\t'))) if (in && ((databuf[in-1] == ' ') || (databuf[in-1] == '\t')))
odatalen += 2; delta += 2;
if (crlf) if (crlf)
odatalen += 2; delta += 2;
else else
odatalen += 1; delta += 1;
if (databuf[in] == '\r') if (databuf[in] == '\r')
in += 2; in += 2;
else else
...@@ -1455,15 +1456,20 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is ...@@ -1455,15 +1456,20 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is
(linelen + 1) >= MAXLINESIZE) { (linelen + 1) >= MAXLINESIZE) {
linelen = 0; linelen = 0;
if (crlf) if (crlf)
odatalen += 3; delta += 3;
else else
odatalen += 2; delta += 2;
} }
linelen++; linelen++;
odatalen++; delta++;
in++; in++;
} }
} }
if (PY_SSIZE_T_MAX - delta < odatalen) {
PyErr_NoMemory();
return NULL;
}
odatalen += delta;
} }
/* We allocate the output same size as input, this is overkill. /* We allocate the output same size as input, this is overkill.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment