changeset:   102308:dac248056b20
branch:      3.5
parent:      102298:74109d87283f
user:        Serhiy Storchaka <storchaka@gmail.com>
date:        Sun Jul 10 20:48:43 2016 +0300
files:       Misc/NEWS Objects/bytearrayobject.c Objects/bytesobject.c
description:
Issue #27473: Fixed possible integer overflow in bytes and bytearray
concatenations.  Patch by Xiang Zhang.


diff -r 74109d87283f -r dac248056b20 Misc/NEWS
--- a/Misc/NEWS	Sun Jul 10 12:33:18 2016 -0400
+++ b/Misc/NEWS	Sun Jul 10 20:48:43 2016 +0300
@@ -10,6 +10,9 @@
 Core and Builtins
 -----------------
 
+- Issue #27473: Fixed possible integer overflow in bytes and bytearray
+  concatenations.  Patch by Xiang Zhang.
+
 - Issue #27443: __length_hint__() of bytearray itearator no longer return
   negative integer for resized bytearray.
 
diff -r 74109d87283f -r dac248056b20 Objects/bytearrayobject.c
--- a/Objects/bytearrayobject.c	Sun Jul 10 12:33:18 2016 -0400
+++ b/Objects/bytearrayobject.c	Sun Jul 10 20:48:43 2016 +0300
@@ -246,7 +246,6 @@
 PyObject *
 PyByteArray_Concat(PyObject *a, PyObject *b)
 {
-    Py_ssize_t size;
     Py_buffer va, vb;
     PyByteArrayObject *result = NULL;
 
@@ -259,13 +258,13 @@
             goto done;
     }
 
-    size = va.len + vb.len;
-    if (size < 0) {
-            PyErr_NoMemory();
-            goto done;
+    if (va.len > PY_SSIZE_T_MAX - vb.len) {
+        PyErr_NoMemory();
+        goto done;
     }
 
-    result = (PyByteArrayObject *) PyByteArray_FromStringAndSize(NULL, size);
+    result = (PyByteArrayObject *) \
+        PyByteArray_FromStringAndSize(NULL, va.len + vb.len);
     if (result != NULL) {
         memcpy(result->ob_bytes, va.buf, va.len);
         memcpy(result->ob_bytes + va.len, vb.buf, vb.len);
@@ -315,7 +314,6 @@
 static PyObject *
 bytearray_iconcat(PyByteArrayObject *self, PyObject *other)
 {
-    Py_ssize_t mysize;
     Py_ssize_t size;
     Py_buffer vo;
 
@@ -325,17 +323,16 @@
         return NULL;
     }
 
-    mysize = Py_SIZE(self);
-    size = mysize + vo.len;
-    if (size < 0) {
+    size = Py_SIZE(self);
+    if (size > PY_SSIZE_T_MAX - vo.len) {
         PyBuffer_Release(&vo);
         return PyErr_NoMemory();
     }
-    if (PyByteArray_Resize((PyObject *)self, size) < 0) {
+    if (PyByteArray_Resize((PyObject *)self, size + vo.len) < 0) {
         PyBuffer_Release(&vo);
         return NULL;
     }
-    memcpy(PyByteArray_AS_STRING(self) + mysize, vo.buf, vo.len);
+    memcpy(PyByteArray_AS_STRING(self) + size, vo.buf, vo.len);
     PyBuffer_Release(&vo);
     Py_INCREF(self);
     return (PyObject *)self;
diff -r 74109d87283f -r dac248056b20 Objects/bytesobject.c
--- a/Objects/bytesobject.c	Sun Jul 10 12:33:18 2016 -0400
+++ b/Objects/bytesobject.c	Sun Jul 10 20:48:43 2016 +0300
@@ -1265,7 +1265,6 @@
 static PyObject *
 bytes_concat(PyObject *a, PyObject *b)
 {
-    Py_ssize_t size;
     Py_buffer va, vb;
     PyObject *result = NULL;
 
@@ -1290,13 +1289,12 @@
         goto done;
     }
 
-    size = va.len + vb.len;
-    if (size < 0) {
+    if (va.len > PY_SSIZE_T_MAX - vb.len) {
         PyErr_NoMemory();
         goto done;
     }
 
-    result = PyBytes_FromStringAndSize(NULL, size);
+    result = PyBytes_FromStringAndSize(NULL, va.len + vb.len);
     if (result != NULL) {
         memcpy(PyBytes_AS_STRING(result), va.buf, va.len);
         memcpy(PyBytes_AS_STRING(result) + va.len, vb.buf, vb.len);