From: Ronald Oussoren Date: Thu, 11 Jul 2013 11:33:55 +0000 (+0200) Subject: Issue #18427: str.replace could crash the interpreter with huge strings. X-Git-Tag: v2.7.6rc1~308^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3687e8055cf740384516c596890e864ead081eba;p=thirdparty%2FPython%2Fcpython.git Issue #18427: str.replace could crash the interpreter with huge strings. This fixes two places where 'int' was used to represent the size of strings, instead of 'Py_ssize_t'. (The issue is not present in the corresponding code in the 3.x branches) Fixes #18427 --- diff --git a/Misc/NEWS b/Misc/NEWS index c3689e931887..804e8c2125d3 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -24,6 +24,8 @@ Core and Builtins Library ------- +- Issue #18427: str.replace could crash the interpreter with huge strings. + - Issue #18347: ElementTree's html serializer now preserves the case of closing tags. @@ -88,7 +90,7 @@ IDLE - Issue #7136: In the Idle File menu, "New Window" is renamed "New File". Patch by Tal Einat, Roget Serwy, and Todd Rovito. - + - Issue #8515: Set __file__ when run file in IDLE. Initial patch by Bruce Frederiksen. diff --git a/Objects/stringobject.c b/Objects/stringobject.c index 120919737791..b80ef87b0d8d 100644 --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -882,9 +882,9 @@ string_print(PyStringObject *op, FILE *fp, int flags) size -= chunk_size; } #ifdef __VMS - if (size) fwrite(data, (int)size, 1, fp); + if (size) fwrite(data, (size_t)size, 1, fp); #else - fwrite(data, 1, (int)size, fp); + fwrite(data, 1, (size_t)size, fp); #endif Py_END_ALLOW_THREADS return 0; @@ -2332,7 +2332,7 @@ return_self(PyStringObject *self) } Py_LOCAL_INLINE(Py_ssize_t) -countchar(const char *target, int target_len, char c, Py_ssize_t maxcount) +countchar(const char *target, Py_ssize_t target_len, char c, Py_ssize_t maxcount) { Py_ssize_t count=0; const char *start=target;