-
-
Notifications
You must be signed in to change notification settings - Fork 32.1k
bpo-34087: Fix buffer overflow in int(s) and similar functions #8274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Fix buffer overflow while converting unicode to numeric values. |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -391,6 +391,8 @@ _Py_string_to_number_with_underscores( | |
char *dup, *end; | ||
PyObject *result; | ||
|
||
assert(s[orig_len] == '\0'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not sure about this assertion. For performance, it would make sense to call _Py_string_to_number_with_underscores() on a sub-string which doesn't end with a NUL character. If you want to add an assertion, please do it at the caller site. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This assertion is fine to me. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh, the following lines calls strchr() which expects that the string ends with a NUL byte. In that case, should we also test that strlen(s) == orig_len to block embedded NUL byte? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It is not needed. NUL byte in string is valid.
|
||
|
||
if (strchr(s, '_') == NULL) { | ||
return innerfunc(s, orig_len, arg); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To debug other kinds of bugs, you can call "assert(_PyUnicode_CheckConsistency(unicode, 1));" just before "return result;". This function detects if the last character is not a NUL character, for example ;-)