An interpreted, interactive, object-oriented programming language
CentOS Sources
2017-08-01 71084d584ff953f5463757ec6536406320560b4d
commit | author | age
f63228 1
CS 2 # HG changeset patch
3 # User Benjamin Peterson <benjamin@python.org>
4 # Date 1397441438 14400
5 # Node ID 50c07ed1743da9cd4540d83de0c30bd17aeb41b0
6 # Parent  218e28a935ab4494d05215c243e2129625a71893
7 in scan_once, prevent the reading of arbitrary memory when passed a negative index
8
9 Bug reported by Guido Vranken.
10
11 diff --git a/Lib/json/tests/test_decode.py b/Lib/json/tests/test_decode.py
12 --- a/Lib/json/tests/test_decode.py
13 +++ b/Lib/json/tests/test_decode.py
14 @@ -60,5 +60,10 @@ class TestDecode(object):
15          msg = 'escape'
16          self.assertRaisesRegexp(ValueError, msg, self.loads, s)
17  
18 +    def test_negative_index(self):
19 +        d = self.json.JSONDecoder()
20 +        self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000)
21 +        self.assertRaises(ValueError, d.raw_decode, u'a'*42, -50000)
22 +
23  class TestPyDecode(TestDecode, PyTest): pass
24  class TestCDecode(TestDecode, CTest): pass
25 diff --git a/Modules/_json.c b/Modules/_json.c
26 --- a/Modules/_json.c
27 +++ b/Modules/_json.c
28 @@ -1468,7 +1468,10 @@ scan_once_str(PyScannerObject *s, PyObje
29      PyObject *res;
30      char *str = PyString_AS_STRING(pystr);
31      Py_ssize_t length = PyString_GET_SIZE(pystr);
32 -    if (idx >= length) {
33 +    if (idx < 0)
34 +        /* Compatibility with the Python version. */
35 +        idx += length;
36 +    if (idx < 0 || idx >= length) {
37          PyErr_SetNone(PyExc_StopIteration);
38          return NULL;
39      }
40 @@ -1555,7 +1558,10 @@ scan_once_unicode(PyScannerObject *s, Py
41      PyObject *res;
42      Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
43      Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
44 -    if (idx >= length) {
45 +    if (idx < 0)
46 +        /* Compatibility with Python version. */
47 +        idx += length;
48 +    if (idx < 0 || idx >= length) {
49          PyErr_SetNone(PyExc_StopIteration);
50          return NULL;
51      }
52