Closes release blocker #3627.

Merged revisions 65335 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

TESTED=./python -E -tt ./Lib/test/regrtest.py -uall (both debug and opt)

........
  r65335 | neal.norwitz | 2008-07-31 10:17:14 -0700 (Thu, 31 Jul 2008) | 1 line

  Security patches from Apple:  prevent int overflow when allocating memory
........
This commit is contained in:
Neal Norwitz 2008-08-24 07:08:55 +00:00
parent 06db799a53
commit 3ce5d9207e
11 changed files with 201 additions and 26 deletions

View file

@ -304,11 +304,13 @@ def test_repeat(self):
self.assertEqual(id(s), id(s*1)) self.assertEqual(id(s), id(s*1))
def test_bigrepeat(self): def test_bigrepeat(self):
x = self.type2test([0]) import sys
x *= 2**16 if sys.maxsize <= 2147483647:
self.assertRaises(MemoryError, x.__mul__, 2**16) x = self.type2test([0])
if hasattr(x, '__imul__'): x *= 2**16
self.assertRaises(MemoryError, x.__imul__, 2**16) self.assertRaises(MemoryError, x.__mul__, 2**16)
if hasattr(x, '__imul__'):
self.assertRaises(MemoryError, x.__imul__, 2**16)
def test_subscript(self): def test_subscript(self):
a = self.type2test([10, 11]) a = self.type2test([10, 11])

View file

@ -68,6 +68,7 @@ def import_module(name, deprecated=False):
use_resources = None # Flag set to [] by regrtest.py use_resources = None # Flag set to [] by regrtest.py
max_memuse = 0 # Disable bigmem tests (they will still be run with max_memuse = 0 # Disable bigmem tests (they will still be run with
# small sizes, to make sure they work.) # small sizes, to make sure they work.)
real_max_memuse = 0
# _original_stdout is meant to hold stdout at the time regrtest began. # _original_stdout is meant to hold stdout at the time regrtest began.
# This may be "the real" stdout, or IDLE's emulation of stdout, or whatever. # This may be "the real" stdout, or IDLE's emulation of stdout, or whatever.
@ -599,12 +600,14 @@ def inner(*args, **kwds):
_1M = 1024*1024 _1M = 1024*1024
_1G = 1024 * _1M _1G = 1024 * _1M
_2G = 2 * _1G _2G = 2 * _1G
_4G = 4 * _1G
MAX_Py_ssize_t = sys.maxsize MAX_Py_ssize_t = sys.maxsize
def set_memlimit(limit): def set_memlimit(limit):
import re import re
global max_memuse global max_memuse
global real_max_memuse
sizes = { sizes = {
'k': 1024, 'k': 1024,
'm': _1M, 'm': _1M,
@ -616,6 +619,7 @@ def set_memlimit(limit):
if m is None: if m is None:
raise ValueError('Invalid memory limit %r' % (limit,)) raise ValueError('Invalid memory limit %r' % (limit,))
memlimit = int(float(m.group(1)) * sizes[m.group(3).lower()]) memlimit = int(float(m.group(1)) * sizes[m.group(3).lower()])
real_max_memuse = memlimit
if memlimit > MAX_Py_ssize_t: if memlimit > MAX_Py_ssize_t:
memlimit = MAX_Py_ssize_t memlimit = MAX_Py_ssize_t
if memlimit < _2G - 1: if memlimit < _2G - 1:
@ -661,6 +665,27 @@ def wrapper(self):
return wrapper return wrapper
return decorator return decorator
def precisionbigmemtest(size, memuse, overhead=5*_1M):
def decorator(f):
def wrapper(self):
if not real_max_memuse:
maxsize = 5147
else:
maxsize = size
if real_max_memuse and real_max_memuse < maxsize * memuse:
if verbose:
sys.stderr.write("Skipping %s because of memory "
"constraint\n" % (f.__name__,))
return
return f(self, maxsize)
wrapper.size = size
wrapper.memuse = memuse
wrapper.overhead = overhead
return wrapper
return decorator
def bigaddrspacetest(f): def bigaddrspacetest(f):
"""Decorator for tests that fill the address space.""" """Decorator for tests that fill the address space."""
def wrapper(self): def wrapper(self):

View file

@ -1,5 +1,5 @@
from test import support from test import support
from test.support import bigmemtest, _1G, _2G from test.support import bigmemtest, _1G, _2G, _4G, precisionbigmemtest
import unittest import unittest
import operator import operator
@ -53,6 +53,22 @@ def test_center(self, size):
self.assertEquals(s[lpadsize:-rpadsize], SUBSTR) self.assertEquals(s[lpadsize:-rpadsize], SUBSTR)
self.assertEquals(s.strip(), SUBSTR.strip()) self.assertEquals(s.strip(), SUBSTR.strip())
@precisionbigmemtest(size=_2G - 1, memuse=1)
def test_center_unicode(self, size):
SUBSTR = ' abc def ghi'
try:
s = SUBSTR.center(size)
except OverflowError:
pass # acceptable on 32-bit
else:
self.assertEquals(len(s), size)
lpadsize = rpadsize = (len(s) - len(SUBSTR)) // 2
if len(s) % 2:
lpadsize += 1
self.assertEquals(s[lpadsize:-rpadsize], SUBSTR)
self.assertEquals(s.strip(), SUBSTR.strip())
del s
@bigmemtest(minsize=_2G, memuse=2) @bigmemtest(minsize=_2G, memuse=2)
def test_count(self, size): def test_count(self, size):
SUBSTR = ' abc def ghi' SUBSTR = ' abc def ghi'
@ -69,10 +85,51 @@ def test_decode(self, size):
s = b'.' * size s = b'.' * size
self.assertEquals(len(s.decode('utf-8')), size) self.assertEquals(len(s.decode('utf-8')), size)
def basic_encode_test(self, size, enc, c='.', expectedsize=None):
if expectedsize is None:
expectedsize = size
s = c * size
self.assertEquals(len(s.encode(enc)), expectedsize)
@bigmemtest(minsize=_2G + 2, memuse=3) @bigmemtest(minsize=_2G + 2, memuse=3)
def test_encode(self, size): def test_encode(self, size):
s = '.' * size return self.basic_encode_test(size, 'utf-8')
self.assertEquals(len(s.encode('utf-8')), size)
@precisionbigmemtest(size=_4G / 6 + 2, memuse=2)
def test_encode_raw_unicode_escape(self, size):
try:
return self.basic_encode_test(size, 'raw_unicode_escape')
except MemoryError:
pass # acceptable on 32-bit
@precisionbigmemtest(size=_4G / 5 + 70, memuse=3)
def test_encode_utf7(self, size):
try:
return self.basic_encode_test(size, 'utf7')
except MemoryError:
pass # acceptable on 32-bit
@precisionbigmemtest(size=_4G / 4 + 5, memuse=6)
def test_encode_utf32(self, size):
try:
return self.basic_encode_test(size, 'utf32', expectedsize=4*size+4)
except MemoryError:
pass # acceptable on 32-bit
@precisionbigmemtest(size=_2G-1, memuse=2)
def test_decodeascii(self, size):
return self.basic_encode_test(size, 'ascii', c='A')
@precisionbigmemtest(size=_4G / 5, memuse=6+2)
def test_unicode_repr_oflw(self, size):
try:
s = "\uAAAA"*size
r = repr(s)
except MemoryError:
pass # acceptable on 32-bit
else:
self.failUnless(s == eval(r))
@bigmemtest(minsize=_2G, memuse=2) @bigmemtest(minsize=_2G, memuse=2)
def test_endswith(self, size): def test_endswith(self, size):
@ -458,6 +515,11 @@ def test_repr_large(self, size):
self.assertEquals(s.count('\\'), size) self.assertEquals(s.count('\\'), size)
self.assertEquals(s.count('0'), size * 2) self.assertEquals(s.count('0'), size * 2)
@bigmemtest(minsize=2**32 / 5, memuse=6+2)
def test_unicode_repr(self, size):
s = "\uAAAA" * size
self.failUnless(len(repr(s)) > size)
# This test is meaningful even with size < 2G, as long as the # This test is meaningful even with size < 2G, as long as the
# doubled string is > 2G (but it tests more if both are > 2G :) # doubled string is > 2G (but it tests more if both are > 2G :)
@bigmemtest(minsize=_1G + 2, memuse=3) @bigmemtest(minsize=_1G + 2, memuse=3)
@ -641,6 +703,35 @@ def test_repeat_small(self, size):
def test_repeat_large(self, size): def test_repeat_large(self, size):
return self.basic_test_repeat(size) return self.basic_test_repeat(size)
@bigmemtest(minsize=_1G - 1, memuse=12)
def test_repeat_large_2(self, size):
return self.basic_test_repeat(size)
@precisionbigmemtest(size=_1G - 1, memuse=9)
def test_from_2G_generator(self, size):
try:
t = tuple(range(size))
except MemoryError:
pass # acceptable on 32-bit
else:
count = 0
for item in t:
self.assertEquals(item, count)
count += 1
self.assertEquals(count, size)
@precisionbigmemtest(size=_1G - 25, memuse=9)
def test_from_almost_2G_generator(self, size):
try:
t = tuple(range(size))
count = 0
for item in t:
self.assertEquals(item, count)
count += 1
self.assertEquals(count, size)
except MemoryError:
pass # acceptable, expected on 32-bit
# Like test_concat, split in two. # Like test_concat, split in two.
def basic_test_repr(self, size): def basic_test_repr(self, size):
t = (0,) * size t = (0,) * size

View file

@ -12,6 +12,8 @@ What's New in Python 3.0 release candidate 1
Core and Builtins Core and Builtins
----------------- -----------------
- Apply security patches from Apple.
- Fix crashes on memory allocation failure found with failmalloc. - Fix crashes on memory allocation failure found with failmalloc.
- Fix memory leaks found with valgrind and update suppressions file. - Fix memory leaks found with valgrind and update suppressions file.

View file

@ -1318,7 +1318,10 @@ PyObject *
_PyObject_GC_Malloc(size_t basicsize) _PyObject_GC_Malloc(size_t basicsize)
{ {
PyObject *op; PyObject *op;
PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC( PyGC_Head *g;
if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
return PyErr_NoMemory();
g = (PyGC_Head *)PyObject_MALLOC(
sizeof(PyGC_Head) + basicsize); sizeof(PyGC_Head) + basicsize);
if (g == NULL) if (g == NULL)
return PyErr_NoMemory(); return PyErr_NoMemory();
@ -1361,6 +1364,8 @@ _PyObject_GC_Resize(PyVarObject *op, Py_ssize_t nitems)
{ {
const size_t basicsize = _PyObject_VAR_SIZE(Py_TYPE(op), nitems); const size_t basicsize = _PyObject_VAR_SIZE(Py_TYPE(op), nitems);
PyGC_Head *g = AS_GC(op); PyGC_Head *g = AS_GC(op);
if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
return (PyVarObject *)PyErr_NoMemory();
g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize); g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize);
if (g == NULL) if (g == NULL)
return (PyVarObject *)PyErr_NoMemory(); return (PyVarObject *)PyErr_NoMemory();

View file

@ -245,7 +245,7 @@ mmap_read_method(mmap_object *self,
return(NULL); return(NULL);
/* silently 'adjust' out-of-range requests */ /* silently 'adjust' out-of-range requests */
if ((self->pos + num_bytes) > self->size) { if (num_bytes > self->size - self->pos) {
num_bytes -= (self->pos+num_bytes) - self->size; num_bytes -= (self->pos+num_bytes) - self->size;
} }
result = PyByteArray_FromStringAndSize(self->data+self->pos, num_bytes); result = PyByteArray_FromStringAndSize(self->data+self->pos, num_bytes);

View file

@ -121,6 +121,11 @@ PyByteArray_FromStringAndSize(const char *bytes, Py_ssize_t size)
return NULL; return NULL;
} }
/* Prevent buffer overflow when setting alloc to size+1. */
if (size == PY_SSIZE_T_MAX) {
return PyErr_NoMemory();
}
new = PyObject_New(PyByteArrayObject, &PyByteArray_Type); new = PyObject_New(PyByteArrayObject, &PyByteArray_Type);
if (new == NULL) if (new == NULL)
return NULL; return NULL;

View file

@ -83,6 +83,12 @@ PyBytes_FromStringAndSize(const char *str, Py_ssize_t size)
return (PyObject *)op; return (PyObject *)op;
} }
if (size > PY_SSIZE_T_MAX - sizeof(PyBytesObject)) {
PyErr_SetString(PyExc_OverflowError,
"byte string is too large");
return NULL;
}
/* Inline PyObject_NewVar */ /* Inline PyObject_NewVar */
op = (PyBytesObject *)PyObject_MALLOC(sizeof(PyBytesObject) + size); op = (PyBytesObject *)PyObject_MALLOC(sizeof(PyBytesObject) + size);
if (op == NULL) if (op == NULL)
@ -111,7 +117,7 @@ PyBytes_FromString(const char *str)
assert(str != NULL); assert(str != NULL);
size = strlen(str); size = strlen(str);
if (size > PY_SSIZE_T_MAX) { if (size > PY_SSIZE_T_MAX - sizeof(PyBytesObject)) {
PyErr_SetString(PyExc_OverflowError, PyErr_SetString(PyExc_OverflowError,
"byte string is too long"); "byte string is too long");
return NULL; return NULL;

View file

@ -139,6 +139,8 @@ _PyLong_New(Py_ssize_t size)
PyErr_NoMemory(); PyErr_NoMemory();
return NULL; return NULL;
} }
/* XXX(nnorwitz): This can overflow --
PyObject_NEW_VAR / _PyObject_VAR_SIZE need to detect overflow */
return (PyLongObject*)PyObject_INIT_VAR(result, &PyLong_Type, size); return (PyLongObject*)PyObject_INIT_VAR(result, &PyLong_Type, size);
} }

View file

@ -60,11 +60,12 @@ PyTuple_New(register Py_ssize_t size)
Py_ssize_t nbytes = size * sizeof(PyObject *); Py_ssize_t nbytes = size * sizeof(PyObject *);
/* Check for overflow */ /* Check for overflow */
if (nbytes / sizeof(PyObject *) != (size_t)size || if (nbytes / sizeof(PyObject *) != (size_t)size ||
(nbytes += sizeof(PyTupleObject) - sizeof(PyObject *)) (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) - sizeof(PyObject *)))
<= 0)
{ {
return PyErr_NoMemory(); return PyErr_NoMemory();
} }
nbytes += sizeof(PyTupleObject) - sizeof(PyObject *);
op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size); op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
if (op == NULL) if (op == NULL)
return NULL; return NULL;

View file

@ -311,6 +311,11 @@ PyUnicodeObject *_PyUnicode_New(Py_ssize_t length)
return unicode_empty; return unicode_empty;
} }
/* Ensure we won't overflow the size. */
if (length > ((PY_SSIZE_T_MAX / sizeof(Py_UNICODE)) - 1)) {
return (PyUnicodeObject *)PyErr_NoMemory();
}
/* Unicode freelist & memory allocation */ /* Unicode freelist & memory allocation */
if (free_list) { if (free_list) {
unicode = free_list; unicode = free_list;
@ -1860,6 +1865,9 @@ PyObject *PyUnicode_EncodeUTF7(const Py_UNICODE *s,
if (size == 0) if (size == 0)
return PyBytes_FromStringAndSize(NULL, 0); return PyBytes_FromStringAndSize(NULL, 0);
if (cbAllocated / 5 != size)
return PyErr_NoMemory();
v = PyByteArray_FromStringAndSize(NULL, cbAllocated); v = PyByteArray_FromStringAndSize(NULL, cbAllocated);
if (v == NULL) if (v == NULL)
return NULL; return NULL;
@ -2452,8 +2460,9 @@ PyUnicode_EncodeUTF32(const Py_UNICODE *s,
{ {
PyObject *v, *result; PyObject *v, *result;
unsigned char *p; unsigned char *p;
Py_ssize_t nsize, bytesize;
#ifndef Py_UNICODE_WIDE #ifndef Py_UNICODE_WIDE
int i, pairs; Py_ssize_t i, pairs;
#else #else
const int pairs = 0; const int pairs = 0;
#endif #endif
@ -2481,8 +2490,11 @@ PyUnicode_EncodeUTF32(const Py_UNICODE *s,
0xDC00 <= s[i+1] && s[i+1] <= 0xDFFF) 0xDC00 <= s[i+1] && s[i+1] <= 0xDFFF)
pairs++; pairs++;
#endif #endif
v = PyByteArray_FromStringAndSize(NULL, nsize = (size - pairs + (byteorder == 0));
4 * (size - pairs + (byteorder == 0))); bytesize = nsize * 4;
if (bytesize / 4 != nsize)
return PyErr_NoMemory();
v = PyByteArray_FromStringAndSize(NULL, bytesize);
if (v == NULL) if (v == NULL)
return NULL; return NULL;
@ -2726,8 +2738,9 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *s,
{ {
PyObject *v, *result; PyObject *v, *result;
unsigned char *p; unsigned char *p;
Py_ssize_t nsize, bytesize;
#ifdef Py_UNICODE_WIDE #ifdef Py_UNICODE_WIDE
int i, pairs; Py_ssize_t i, pairs;
#else #else
const int pairs = 0; const int pairs = 0;
#endif #endif
@ -2750,8 +2763,15 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *s,
if (s[i] >= 0x10000) if (s[i] >= 0x10000)
pairs++; pairs++;
#endif #endif
v = PyByteArray_FromStringAndSize(NULL, /* 2 * (size + pairs + (byteorder == 0)) */
2 * (size + pairs + (byteorder == 0))); if (size > PY_SSIZE_T_MAX ||
size > PY_SSIZE_T_MAX - pairs - (byteorder == 0))
return PyErr_NoMemory();
nsize = size + pairs + (byteorder == 0);
bytesize = nsize * 2;
if (bytesize / 2 != nsize)
return PyErr_NoMemory();
v = PyByteArray_FromStringAndSize(NULL, bytesize);
if (v == NULL) if (v == NULL)
return NULL; return NULL;
@ -3082,6 +3102,12 @@ PyObject *PyUnicode_EncodeUnicodeEscape(const Py_UNICODE *s,
PyObject *repr, *result; PyObject *repr, *result;
char *p; char *p;
#ifdef Py_UNICODE_WIDE
const Py_ssize_t expandsize = 10;
#else
const Py_ssize_t expandsize = 6;
#endif
/* XXX(nnorwitz): rather than over-allocating, it would be /* XXX(nnorwitz): rather than over-allocating, it would be
better to choose a different scheme. Perhaps scan the better to choose a different scheme. Perhaps scan the
first N-chars of the string and allocate based on that size. first N-chars of the string and allocate based on that size.
@ -3100,12 +3126,12 @@ PyObject *PyUnicode_EncodeUnicodeEscape(const Py_UNICODE *s,
escape. escape.
*/ */
if (size > (PY_SSIZE_T_MAX - 2 - 1) / expandsize)
return PyErr_NoMemory();
repr = PyByteArray_FromStringAndSize(NULL, repr = PyByteArray_FromStringAndSize(NULL,
#ifdef Py_UNICODE_WIDE 2
+ 10*size + expandsize*size
#else
+ 6*size
#endif
+ 1); + 1);
if (repr == NULL) if (repr == NULL)
return NULL; return NULL;
@ -3353,10 +3379,15 @@ PyObject *PyUnicode_EncodeRawUnicodeEscape(const Py_UNICODE *s,
char *q; char *q;
#ifdef Py_UNICODE_WIDE #ifdef Py_UNICODE_WIDE
repr = PyByteArray_FromStringAndSize(NULL, 10 * size); const Py_ssize_t expandsize = 10;
#else #else
repr = PyByteArray_FromStringAndSize(NULL, 6 * size); const Py_ssize_t expandsize = 6;
#endif #endif
if (size > PY_SSIZE_T_MAX / expandsize)
return PyErr_NoMemory();
repr = PyByteArray_FromStringAndSize(NULL, expandsize * size);
if (repr == NULL) if (repr == NULL)
return NULL; return NULL;
if (size == 0) if (size == 0)
@ -5747,6 +5778,11 @@ PyUnicodeObject *pad(PyUnicodeObject *self,
return self; return self;
} }
if (left > PY_SSIZE_T_MAX - self->length ||
right > PY_SSIZE_T_MAX - (left + self->length)) {
PyErr_SetString(PyExc_OverflowError, "padded string is too long");
return NULL;
}
u = _PyUnicode_New(left + self->length + right); u = _PyUnicode_New(left + self->length + right);
if (u) { if (u) {
if (left) if (left)