(Merge 3.3) Issue #19969: PyBytes_FromFormatV() now raises an OverflowError if

"%c" argument is not in range [0; 255].
author: Victor Stinner <victor.stinner@gmail.com> 2013-12-13 12:15:31 +0100
committer: Victor Stinner <victor.stinner@gmail.com> 2013-12-13 12:15:31 +0100
commit: 507ac3a5910a5404013883ce45ad2f9cf0509b0e (patch)
tree: ce07a2f92b935600c89f39e874f9c704844457b6
parent: 590cebe391fb2e199afe9b20ff67e360116a1266 (diff)
parent: c9362cf86ae302e89207dff7206b1c6bba413e33 (diff)
download: cpython-git-507ac3a5910a5404013883ce45ad2f9cf0509b0e.tar.gz
3 files changed, 25 insertions, 3 deletions
diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py
index 847c7a613f..f350211f71 100644
--- a/Lib/test/test_bytes.py
+++ b/Lib/test/test_bytes.py
@@ -743,6 +743,12 @@ class BytesTest(BaseBytesTest, unittest.TestCase):
         self.assertEqual(PyBytes_FromFormat(b's:%s', c_char_p(b'cstr')),
                          b's:cstr')
 
+        # Issue #19969
+        self.assertRaises(OverflowError,
+                          PyBytes_FromFormat, b'%c', c_int(-1))
+        self.assertRaises(OverflowError,
+                          PyBytes_FromFormat, b'%c', c_int(256))
+
 
 class ByteArrayTest(BaseBytesTest, unittest.TestCase):
     type2test = bytearray
diff --git a/Misc/NEWS b/Misc/NEWS
index eca89cc7a5..f99a0d82f8 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ Release date: 2014-01-05
 Core and Builtins
 -----------------
 
+- Issue #19969: PyBytes_FromFormatV() now raises an OverflowError if "%c"
+  argument is not in range [0; 255].
+
 - Issue #19787: PyThread_set_key_value() now always set the value. In Python
   3.3, the function did nothing if the key already exists (if the current value
   is a non-NULL pointer).
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index 63c67f8479..614978b395 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -195,8 +195,17 @@ PyBytes_FromFormatV(const char *format, va_list vargs)
 
             switch (*f) {
             case 'c':
-                (void)va_arg(count, int);
-                /* fall through... */
+            {
+                int c = va_arg(count, int);
+                if (c < 0 || c > 255) {
+                    PyErr_SetString(PyExc_OverflowError,
+                                    "PyBytes_FromFormatV(): %c format "
+                                    "expects an integer in range [0; 255]");
+                    return NULL;
+                }
+                n++;
+                break;
+            }
             case '%':
                 n++;
                 break;
@@ -276,8 +285,12 @@ PyBytes_FromFormatV(const char *format, va_list vargs)
 
             switch (*f) {
             case 'c':
-                *s++ = va_arg(vargs, int);
+            {
+                int c = va_arg(vargs, int);
+                /* c has been checked for overflow in the first step */
+                *s++ = (unsigned char)c;
                 break;
+            }
             case 'd':
                 if (longflag)
                     sprintf(s, "%ld", va_arg(vargs, long));
author	Victor Stinner <victor.stinner@gmail.com>	2013-12-13 12:15:31 +0100
committer	Victor Stinner <victor.stinner@gmail.com>	2013-12-13 12:15:31 +0100
commit	507ac3a5910a5404013883ce45ad2f9cf0509b0e (patch)
tree	ce07a2f92b935600c89f39e874f9c704844457b6
parent	590cebe391fb2e199afe9b20ff67e360116a1266 (diff)
parent	c9362cf86ae302e89207dff7206b1c6bba413e33 (diff)
download	cpython-git-507ac3a5910a5404013883ce45ad2f9cf0509b0e.tar.gz