From: Benjamin Peterson <benjamin@python.org>
Date: Sat, 27 Jun 2015 19:52:41 +0000 (-0500)
Subject: ensure internal buffer is large enough for string after flushing (closes #24481)
X-Git-Tag: v2.7.11rc1~257
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1c72acf24cc8e39be5d9cc1674c66811d9b036c4;p=thirdparty%2FPython%2Fcpython.git

ensure internal buffer is large enough for string after flushing (closes #24481)
---

diff --git a/Lib/test/test_hotshot.py b/Lib/test/test_hotshot.py
index 7da9746d789e..9f4b798a6972 100644
--- a/Lib/test/test_hotshot.py
+++ b/Lib/test/test_hotshot.py
@@ -149,6 +149,10 @@ class HotShotTestCase(unittest.TestCase):
         stats.load(self.logfn)
         os.unlink(self.logfn)
 
+    def test_large_info(self):
+        p = self.new_profiler()
+        self.assertRaises(ValueError, p.addinfo, "A", "A" * 0xfceb)
+
 
 def test_main():
     test_support.run_unittest(HotShotTestCase)
diff --git a/Misc/NEWS b/Misc/NEWS
index 3b9b3fad1ddc..1496398bb130 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -30,6 +30,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #24481: Fix possible memory corruption with large profiler info strings
+  in hotshot.
+
 - Issue #24489: ensure a previously set C errno doesn't disturb cmath.polar().
 
 - Issue #19543: io.TextIOWrapper (and hence io.open()) now uses the internal
diff --git a/Modules/_hotshot.c b/Modules/_hotshot.c
index df8a7f94cd4b..9719cb76733b 100644
--- a/Modules/_hotshot.c
+++ b/Modules/_hotshot.c
@@ -626,6 +626,10 @@ pack_string(ProfilerObject *self, const char *s, Py_ssize_t len)
     if (len + PISIZE + self->index >= BUFFERSIZE) {
         if (flush_data(self) < 0)
             return -1;
+        if (len + PISIZE + self->index >= BUFFERSIZE) {
+            PyErr_SetString(PyExc_ValueError, "string too large for internal buffer");
+            return -1;
+        }
     }
     assert(len < INT_MAX);
     if (pack_packed_int(self, (int)len) < 0)