Issue #24467: Fixed possible buffer over-read in bytearray. The bytearray

object now always allocates place for trailing null byte and it's buffer now is always null-terminated.
2015-06-29 21:18:01 +03:00 · 2015-06-29 21:18:01 +03:00 · bc9e75ed02
parent a95a476b3a 7b6e3b91f5
commit bc9e75ed02
3 changed files with 25 additions and 2 deletions
--- a/Lib/test/test_bytes.py
+++ b/Lib/test/test_bytes.py
@ -1098,10 +1098,27 @@ def test_alloc(self):
        for i in range(100):
            b += b"x"
            alloc = b.__alloc__()
-            self.assertTrue(alloc >= len(b))
+            self.assertGreater(alloc, len(b))  # including trailing null byte
            if alloc not in seq:
                seq.append(alloc)

+    def test_init_alloc(self):
+        b = bytearray()
+        def g():
+            for i in range(1, 100):
+                yield i
+                a = list(b)
+                self.assertEqual(a, list(range(1, len(a)+1)))
+                self.assertEqual(len(b), len(a))
+                self.assertLessEqual(len(b), i)
+                alloc = b.__alloc__()
+                self.assertGreater(alloc, len(b))  # including trailing null byte
+        b.__init__(g())
+        self.assertEqual(list(b), list(range(1, 100)))
+        self.assertEqual(len(b), 99)
+        alloc = b.__alloc__()
+        self.assertGreater(alloc, len(b))
+
    def test_extend(self):
        orig = b'hello'
        a = bytearray(orig)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -10,6 +10,10 @@ Release date: 2015-07-05
 Core and Builtins
 -----------------

+- Issue #24467: Fixed possible buffer over-read in bytearray. The bytearray
+  object now always allocates place for trailing null byte and it's buffer now
+  is always null-terminated.
+
 - Upgrade to Unicode 8.0.0.

 - Issue #24345: Add Py_tp_finalize slot for the stable ABI.
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@ -891,8 +891,10 @@ bytearray_init(PyByteArrayObject *self, PyObject *args, PyObject *kwds)
            goto error;

        /* Append the byte */
-        if (Py_SIZE(self) < self->ob_alloc)
+        if (Py_SIZE(self) + 1 < self->ob_alloc) {
            Py_SIZE(self)++;
+            PyByteArray_AS_STRING(self)[Py_SIZE(self)] = '\0';
+        }
        else if (PyByteArray_Resize((PyObject *)self, Py_SIZE(self)+1) < 0)
            goto error;
        PyByteArray_AS_STRING(self)[Py_SIZE(self)-1] = value;