Avoid integer overflow when decoding bytes/charptr (GH-3535)

Fixes GH-3534.

Avoid integer overflow when decoding bytes/charptr (GH-3535)
Fixes GH-3534.
7b98f54a · Sam Sneddon · GitHub · 090809da · 7b98f54a · 7b98f54a
Commit 7b98f54a authored Apr 20, 2020 by Sam Sneddon Committed by GitHub Apr 20, 2020
Showing with 38 additions and 4 deletions

Cython/Utility/StringTools.c Cython/Utility/StringTools.c +4 -4

tests/run/bytesmethods.pyx tests/run/bytesmethods.pyx +16 -0

tests/run/charptr_decode.pyx tests/run/charptr_decode.pyx +18 -0

No files found.
--- a/Cython/Utility/StringTools.c
+++ b/Cython/Utility/StringTools.c
@@ -518,9 +518,9 @@ static CYTHON_INLINE PyObject* __Pyx_decode_c_string(
        if (stop < 0)
            stop += length;
    }
-    length = stop - start;
-    if (unlikely(length <= 0))
+    if (unlikely(stop <= start))
        return PyUnicode_FromUnicode(NULL, 0);
+    length = stop - start;
    cstring += start;
    if (decode_func) {
        return decode_func(cstring, length, errors);
@@ -554,9 +554,9 @@ static CYTHON_INLINE PyObject* __Pyx_decode_c_bytes(
    }
    if (stop > length)
        stop = length;
-    length = stop - start;
-    if (unlikely(length <= 0))
+    if (unlikely(stop <= start))
        return PyUnicode_FromUnicode(NULL, 0);
+    length = stop - start;
    cstring += start;
    if (decode_func) {
        return decode_func(cstring, length, errors);

--- a/tests/run/bytesmethods.pyx
+++ b/tests/run/bytesmethods.pyx
 cimport cython

+cdef extern from *:
+    cdef Py_ssize_t PY_SSIZE_T_MIN
+    cdef Py_ssize_t PY_SSIZE_T_MAX
+
+SSIZE_T_MAX = PY_SSIZE_T_MAX
+SSIZE_T_MIN = PY_SSIZE_T_MIN
+
+
 b_a = b'a'
 b_b = b'b'

@@ -114,6 +122,14 @@ def bytes_decode(bytes s, start=None, stop=None):
    <BLANKLINE>
    >>> print(bytes_decode(s, -300, -500))
    <BLANKLINE>
+    >>> print(bytes_decode(s, SSIZE_T_MIN, SSIZE_T_MIN))
+    <BLANKLINE>
+    >>> print(bytes_decode(s, SSIZE_T_MIN, SSIZE_T_MAX))
+    abaab
+    >>> print(bytes_decode(s, SSIZE_T_MAX, SSIZE_T_MIN))
+    <BLANKLINE>
+    >>> print(bytes_decode(s, SSIZE_T_MAX, SSIZE_T_MAX))
+    <BLANKLINE>

    >>> s[:'test']                       # doctest: +ELLIPSIS
    Traceback (most recent call last):

--- a/tests/run/charptr_decode.pyx
+++ b/tests/run/charptr_decode.pyx

 cimport cython

+cdef extern from *:
+    cdef Py_ssize_t PY_SSIZE_T_MIN
+    cdef Py_ssize_t PY_SSIZE_T_MAX
+
+
 ############################################################
 # tests for char* slicing

@@ -118,6 +123,19 @@ def slice_charptr_dynamic_bounds_non_name():
            (cstring+1)[:].decode('UTF-8'),
            (cstring+1)[return1():return5()].decode('UTF-8'))

+@cython.test_assert_path_exists("//PythonCapiCallNode")
+@cython.test_fail_if_path_exists("//AttributeNode")
+def slice_charptr_decode_large_bounds():
+    """
+    >>> print(str(slice_charptr_decode_large_bounds()).replace("u'", "'"))
+    ('abcABCqtp', '', '', '')
+    """
+    return (cstring[PY_SSIZE_T_MIN:9].decode('UTF-8'),
+            cstring[PY_SSIZE_T_MAX:PY_SSIZE_T_MIN].decode('UTF-8'),
+            cstring[PY_SSIZE_T_MIN:PY_SSIZE_T_MIN].decode('UTF-8'),
+            cstring[PY_SSIZE_T_MAX:PY_SSIZE_T_MAX].decode('UTF-8'))
+
+
 cdef return1(): return 1
 cdef return3(): return 3
 cdef return4(): return 4