Merged revisions 70682 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/trunk

........
  r70682 | mark.dickinson | 2009-03-29 17:17:16 +0100 (Sun, 29 Mar 2009) | 3 lines

  Issue #532631:  Add paranoid check to avoid potential buffer overflow
  on systems with sizeof(int) > 4.
........

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index 84e107b6a96769fdf7c58b877385c121cf365113..8916552d77ed0f62e7eeb2c4117439f6a1252fb5 100644 (file)
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -4336,6 +4336,15 @@ formatfloat(char *buf, size_t buflen, int flags,
        }
        if (prec < 0)
                prec = 6;
+       /* make sure that the decimal representation of precision really does
+          need at most 10 digits: platforms with sizeof(int) == 8 exist! */
+       if (prec > 0x7fffffffL) {
+               PyErr_SetString(PyExc_OverflowError,
+                               "outrageously large precision "
+                               "for formatted float");
+               return -1;
+       }
+
        if (type == 'f' && fabs(x) >= 1e50)
                type = 'g';
        /* Worst case length calc to ensure no buffer overrun:
@@ -4364,7 +4373,7 @@ formatfloat(char *buf, size_t buflen, int flags,
        PyOS_snprintf(fmt, sizeof(fmt), "%%%s.%d%c",
                      (flags&F_ALT) ? "#" : "",
                      prec, type);
-        PyOS_ascii_formatd(buf, buflen, fmt, x);
+       PyOS_ascii_formatd(buf, buflen, fmt, x);
        return (int)strlen(buf);
 }