From: Christian Heimes Date: Wed, 12 Sep 2012 13:31:43 +0000 (+0200) Subject: Fix out of bounds read in long_new() for empty bytes with an explicit base. int(b... X-Git-Tag: v3.2.4rc1~535 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=79b97ee2ab2620921d409ed4010e84f6c227b470;p=thirdparty%2FPython%2Fcpython.git Fix out of bounds read in long_new() for empty bytes with an explicit base. int(b'', somebase) calls PyLong_FromString() with char* of length 1 but the function accesses the first argument at offset 1. CID 715359 --- diff --git a/Objects/longobject.c b/Objects/longobject.c index a735e33e0463..f2f63afbf699 100644 --- a/Objects/longobject.c +++ b/Objects/longobject.c @@ -4149,8 +4149,8 @@ long_new(PyTypeObject *type, PyObject *args, PyObject *kwds) string = PyByteArray_AS_STRING(x); else string = PyBytes_AS_STRING(x); - if (strlen(string) != (size_t)size) { - /* We only see this if there's a null byte in x, + if (strlen(string) != (size_t)size || !size) { + /* We only see this if there's a null byte in x or x is empty, x is a bytes or buffer, *and* a base is given. */ PyErr_Format(PyExc_ValueError, "invalid literal for int() with base %d: %R",