From 927a57fbeb584f8f0cc71cd04619f040d5ba872a Mon Sep 17 00:00:00 2001 From: Neil Schemenauer Date: Fri, 24 Sep 2004 19:17:26 +0000 Subject: [PATCH] Ensure negative offsets cannot be passed to buffer(). When composing buffers, compute the new buffer size based on the old buffer size. Fixes SF bug #1034242. --- Objects/bufferobject.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c index e0344d89d61..674d2b562b6 100644 --- a/Objects/bufferobject.c +++ b/Objects/bufferobject.c @@ -90,10 +90,23 @@ buffer_from_memory(PyObject *base, int size, int offset, void *ptr, static PyObject * buffer_from_object(PyObject *base, int size, int offset, int readonly) { + if (offset < 0) { + PyErr_SetString(PyExc_ValueError, + "offset must be zero or positive"); + return NULL; + } if ( PyBuffer_Check(base) && (((PyBufferObject *)base)->b_base) ) { /* another buffer, refer to the base object */ - offset += ((PyBufferObject *)base)->b_offset; - base = ((PyBufferObject *)base)->b_base; + PyBufferObject *b = (PyBufferObject *)base; + if (b->b_size != Py_END_OF_BUFFER) { + int base_size = b->b_size - offset; + if (base_size < 0) + base_size = 0; + if (size == Py_END_OF_BUFFER || size > base_size) + size = base_size; + } + offset += b->b_offset; + base = b->b_base; } return buffer_from_memory(base, size, offset, NULL, readonly); }