From: Antoine Pitrou Date: Sun, 29 Mar 2009 00:57:20 +0000 (+0000) Subject: Merged revisions 70664 via svnmerge from X-Git-Tag: 3.0~292 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=31696e98170d9d038e574f1523039d3ae468f46e;p=thirdparty%2FPython%2Fcpython.git Merged revisions 70664 via svnmerge from svn+ssh://pythondev@svn.python.org/python/branches/py3k ........ r70664 | antoine.pitrou | 2009-03-29 01:45:26 +0100 (dim., 29 mars 2009) | 6 lines Issue #1174606: Calling read() without arguments of an unbounded file (typically /dev/zero under Unix) could crash the interpreter. No test as there always seems to be a risk of putting the machine on its knees. ........ --- diff --git a/Misc/NEWS b/Misc/NEWS index 6dd2de4f8e7c..c007f82c20a4 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -26,6 +26,9 @@ Core and Builtins Library ------- +- Issue #1174606: Calling read() without arguments of an unbounded file + (typically /dev/zero under Unix) could crash the interpreter. + - Issue #5068: Fixed the tarfile._BZ2Proxy.read() method that would loop forever on incomplete input. That caused tarfile.open() to hang when used with mode 'r' or 'r:bz2' and a fileobj argument that contained no data or diff --git a/Modules/_fileio.c b/Modules/_fileio.c index bee19fe511ee..919fdea80421 100644 --- a/Modules/_fileio.c +++ b/Modules/_fileio.c @@ -451,7 +451,7 @@ fileio_readall(PyFileIOObject *self) return NULL; while (1) { - Py_ssize_t newsize = (total < SMALLCHUNK) ? SMALLCHUNK : total; + size_t newsize = (total < SMALLCHUNK) ? SMALLCHUNK : total; /* Keep doubling until we reach BIGCHUNK; then keep adding BIGCHUNK. */ @@ -459,9 +459,14 @@ fileio_readall(PyFileIOObject *self) newsize += newsize; } else { - /* NOTE: overflow impossible due to limits on BUFSIZ */ newsize += BIGCHUNK; } + if (newsize > PY_SSIZE_T_MAX || newsize <= 0) { + PyErr_SetString(PyExc_OverflowError, + "unbounded read returned more bytes " + "than a Python string can hold "); + return NULL; + } if (PyBytes_GET_SIZE(result) < newsize) { if (_PyBytes_Resize(&result, newsize) < 0) {