From: Serhiy Storchaka <storchaka@gmail.com>
Date: Mon, 29 Jun 2015 18:13:54 +0000 (+0300)
Subject: Issue #24467: Fixed possible buffer over-read in bytearray. The bytearray
X-Git-Tag: v2.7.11rc1~255^2~8
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ab766350b665ff2cafb92191a7cd720a1ebf6fe7;p=thirdparty%2FPython%2Fcpython.git

Issue #24467: Fixed possible buffer over-read in bytearray. The bytearray
object now always allocates place for trailing null byte and it's buffer now
is always null-terminated.
---

diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py
index 988b931d1a80..02fba389ca73 100644
--- a/Lib/test/test_bytes.py
+++ b/Lib/test/test_bytes.py
@@ -722,10 +722,27 @@ class ByteArrayTest(BaseBytesTest):
         for i in range(100):
             b += b"x"
             alloc = b.__alloc__()
-            self.assertTrue(alloc >= len(b))
+            self.assertGreater(alloc, len(b))  # including trailing null byte
             if alloc not in seq:
                 seq.append(alloc)
 
+    def test_init_alloc(self):
+        b = bytearray()
+        def g():
+            for i in range(1, 100):
+                yield i
+                a = list(b)
+                self.assertEqual(a, list(range(1, len(a)+1)))
+                self.assertEqual(len(b), len(a))
+                self.assertLessEqual(len(b), i)
+                alloc = b.__alloc__()
+                self.assertGreater(alloc, len(b))  # including trailing null byte
+        b.__init__(g())
+        self.assertEqual(list(b), list(range(1, 100)))
+        self.assertEqual(len(b), 99)
+        alloc = b.__alloc__()
+        self.assertGreater(alloc, len(b))
+
     def test_extend(self):
         orig = b'hello'
         a = bytearray(orig)
diff --git a/Misc/NEWS b/Misc/NEWS
index 92e08a9219bb..e6240e2b7adf 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,10 @@ What's New in Python 2.7.11?
 Core and Builtins
 -----------------
 
+- Issue #24467: Fixed possible buffer over-read in bytearray. The bytearray
+  object now always allocates place for trailing null byte and it's buffer now
+  is always null-terminated.
+
 - Issue #19543: encode() and decode() methods and constructors of str,
   unicode and bytearray classes now emit deprecation warning for known
   non-text encodings when Python is ran with the -3 option.
diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
index 5f575805d494..5276da51bdb7 100644
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -897,8 +897,10 @@ bytearray_init(PyByteArrayObject *self, PyObject *args, PyObject *kwds)
             goto error;
 
         /* Append the byte */
-        if (Py_SIZE(self) < self->ob_alloc)
+        if (Py_SIZE(self) + 1 < self->ob_alloc) {
             Py_SIZE(self)++;
+            PyByteArray_AS_STRING(self)[Py_SIZE(self)] = '\0';
+        }
         else if (PyByteArray_Resize((PyObject *)self, Py_SIZE(self)+1) < 0)
             goto error;
         self->ob_bytes[Py_SIZE(self)-1] = value;