o null check PyObject_Repr results

o limit size of strings passed to PyErr_Format

diff --git a/lib/sqlalchemy/cextension/processors.c b/lib/sqlalchemy/cextension/processors.c
index 68758afc8c6d19aeae444e4283ac0e2136ee2d71..b539f684306c165d55fef748637d90f8dcd152cd 100644 (file)
--- a/lib/sqlalchemy/cextension/processors.c
+++ b/lib/sqlalchemy/cextension/processors.c
@@ -74,9 +74,12 @@ str_to_datetime(PyObject *self, PyObject *arg)
     str = PyString_AsString(arg);
     if (str == NULL) {
         err_repr = PyObject_Repr(arg);
+        if (err_repr == NULL)
+            return NULL;
         PyErr_Format(
                 PyExc_ValueError,
-                "Couldn't parse datetime string '%s' - value is not a string.",
+                "Couldn't parse datetime string '%.200s' "
+                "- value is not a string.",
                 PyString_AsString(err_repr));
         Py_DECREF(err_repr);
         return NULL;
@@ -91,9 +94,11 @@ str_to_datetime(PyObject *self, PyObject *arg)
     if (sscanf(str, "%4u-%2u-%2u %2u:%2u:%2u.%6u", &year, &month, &day,
                &hour, &minute, &second, &microsecond) < 6) {
         err_repr = PyObject_Repr(arg);
+        if (err_repr == NULL)
+            return NULL;
         PyErr_Format(
                 PyExc_ValueError,
-                "Couldn't parse datetime string: %s",
+                "Couldn't parse datetime string: %.200s",
                 PyString_AsString(err_repr));
         Py_DECREF(err_repr);
         return NULL;
@@ -115,9 +120,11 @@ str_to_time(PyObject *self, PyObject *arg)
     str = PyString_AsString(arg);
     if (str == NULL) {
         err_repr = PyObject_Repr(arg);
+        if (err_repr == NULL)
+            return NULL;
         PyErr_Format(
                 PyExc_ValueError,
-                "Couldn't parse time string '%s' - value is not a string.",
+                "Couldn't parse time string '%.200s' - value is not a string.",
                 PyString_AsString(err_repr));
         Py_DECREF(err_repr);
         return NULL;
@@ -132,9 +139,11 @@ str_to_time(PyObject *self, PyObject *arg)
     if (sscanf(str, "%2u:%2u:%2u.%6u", &hour, &minute, &second,
                &microsecond) < 3) {
         err_repr = PyObject_Repr(arg);
+        if (err_repr == NULL)
+            return NULL;
         PyErr_Format(
                 PyExc_ValueError,
-                "Couldn't parse time string: %s",
+                "Couldn't parse time string: %.200s",
                 PyString_AsString(err_repr));
         Py_DECREF(err_repr);
         return NULL;
@@ -155,9 +164,11 @@ str_to_date(PyObject *self, PyObject *arg)
     str = PyString_AsString(arg);
     if (str == NULL) {
         err_repr = PyObject_Repr(arg);
+        if (err_repr == NULL)
+            return NULL;
         PyErr_Format(
                 PyExc_ValueError,
-                "Couldn't parse date string '%s' - value is not a string.",
+                "Couldn't parse date string '%.200s' - value is not a string.",
                 PyString_AsString(err_repr));
         Py_DECREF(err_repr);
         return NULL;
@@ -165,9 +176,11 @@ str_to_date(PyObject *self, PyObject *arg)
 
     if (sscanf(str, "%4u-%2u-%2u", &year, &month, &day) != 3) {
         err_repr = PyObject_Repr(arg);
+        if (err_repr == NULL)
+            return NULL;
         PyErr_Format(
                 PyExc_ValueError,
-                "Couldn't parse date string: %s",
+                "Couldn't parse date string: %.200s",
                 PyString_AsString(err_repr));
         Py_DECREF(err_repr);
         return NULL;

diff --git a/lib/sqlalchemy/cextension/resultproxy.c b/lib/sqlalchemy/cextension/resultproxy.c
index cfc0e3530ee2f4fbb95a1a4bffeccaaa3a631a57..64b6855faa8fcd22c1b5457535c749eb79ac0a83 100644 (file)
--- a/lib/sqlalchemy/cextension/resultproxy.c
+++ b/lib/sqlalchemy/cextension/resultproxy.c
@@ -298,7 +298,7 @@ BaseRowProxy_subscript(BaseRowProxy *self, PyObject *key)
                 return NULL;
 
             PyErr_Format(exception,
-                    "Ambiguous column name '%s' in result set! "
+                    "Ambiguous column name '%.200s' in result set! "
                     "try 'use_labels' option on select statement.", cstr_key);
             return NULL;
         }