Issue #5387: Fixed mmap.move crash by integer overflow.
diff --git a/Lib/test/test_mmap.py b/Lib/test/test_mmap.py
index 2dd76ad..b8998ea 100644
--- a/Lib/test/test_mmap.py
+++ b/Lib/test/test_mmap.py
@@ -339,6 +339,23 @@
mf.close()
f.close()
+ # more excessive test
+ data = "0123456789"
+ for dest in range(len(data)):
+ for src in range(len(data)):
+ for count in range(len(data) - max(dest, src)):
+ expected = data[:dest] + data[src:src+count] + data[dest+count:]
+ m = mmap.mmap(-1, len(data))
+ m[:] = data
+ m.move(dest, src, count)
+ self.assertEqual(m[:], expected)
+ m.close()
+
+ # should not crash
+ m = mmap.mmap(-1, 1)
+ self.assertRaises(ValueError, m.move, 1, 1, -1)
+ m.close()
+
def test_anonymous(self):
# anonymous mmap.mmap(-1, PAGE)
m = mmap.mmap(-1, PAGESIZE)
diff --git a/Misc/NEWS b/Misc/NEWS
index 97753ad..a792570 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -199,6 +199,8 @@
Library
-------
+- Issue #5387: Fixed mmap.move crash by integer overflow.
+
- Issue #5261: Patch multiprocessing's semaphore.c to support context
manager use: "with multiprocessing.Lock()" works now.
diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c
index 95dcfbe..d191c1e 100644
--- a/Modules/mmapmodule.c
+++ b/Modules/mmapmodule.c
@@ -612,10 +612,8 @@
return NULL;
} else {
/* bounds check the values */
- if (/* end of source after end of data?? */
- ((src+count) > self->size)
- /* dest will fit? */
- || (dest+count > self->size)) {
+ unsigned long pos = src > dest ? src : dest;
+ if (self->size >= pos && count > self->size - pos) {
PyErr_SetString(PyExc_ValueError,
"source or destination out of range");
return NULL;