diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2016-07-10 20:51:35 +0300 |
|---|---|---|
| committer | Serhiy Storchaka <storchaka@gmail.com> | 2016-07-10 20:51:35 +0300 |
| commit | ca0da9b0a3be265b6e0744bba2391d6ae77f47ab (patch) | |
| tree | 7f42eb3c8a3a0e8239977ae1495a8b7bc56127bc /Objects/bytesobject.c | |
| parent | ce85acff3a28cd4c3ded487bfbc8c8ac5462d4e4 (diff) | |
| parent | 06cfb0cd7037795cc7dca2729a241ed2a1fb1628 (diff) | |
| download | cpython-git-ca0da9b0a3be265b6e0744bba2391d6ae77f47ab.tar.gz | |
Issue #27473: Fixed possible integer overflow in bytes and bytearray
concatenations. Patch by Xiang Zhang.
Diffstat (limited to 'Objects/bytesobject.c')
| -rw-r--r-- | Objects/bytesobject.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c index 1ef21cc796..5f7786726e 100644 --- a/Objects/bytesobject.c +++ b/Objects/bytesobject.c @@ -1388,7 +1388,6 @@ bytes_length(PyBytesObject *a) static PyObject * bytes_concat(PyObject *a, PyObject *b) { - Py_ssize_t size; Py_buffer va, vb; PyObject *result = NULL; @@ -1413,13 +1412,12 @@ bytes_concat(PyObject *a, PyObject *b) goto done; } - size = va.len + vb.len; - if (size < 0) { + if (va.len > PY_SSIZE_T_MAX - vb.len) { PyErr_NoMemory(); goto done; } - result = PyBytes_FromStringAndSize(NULL, size); + result = PyBytes_FromStringAndSize(NULL, va.len + vb.len); if (result != NULL) { memcpy(PyBytes_AS_STRING(result), va.buf, va.len); memcpy(PyBytes_AS_STRING(result) + va.len, vb.buf, vb.len); |