SF bug #494738: binascii_b2a_base64 overwrites memory. binascii_b2a_base64(): We didn't allocate enough buffer space for very short inputs (e.g., a 1-byte input can produce a 5-byte output, but we only allocated 2 bytes). I expect that malloc overheads absorbed the overrun in practice, but computing a correct upper bound is a very simple change.

commit: 1fbb577ee26becacf53b92c53df356aaf227ea73 [log] [tgz]
author: Tim Peters <tim.peters@gmail.com> Wed Dec 19 04:41:35 2001 +0000
committer: Tim Peters <tim.peters@gmail.com> Wed Dec 19 04:41:35 2001 +0000
tree: 269809974f51b25df90a37f3ee687d66c3c20150
parent: b6d14daa1c48d8938a140a671bcd17cb40cdd54d [diff] [blame]
diff --git a/Modules/binascii.c b/Modules/binascii.c
index 643450c..9ef3054 100644
--- a/Modules/binascii.c
+++ b/Modules/binascii.c

@@ -137,7 +137,7 @@
 #define BASE64_PAD '='
 
 /* Max binary chunk size; limited only by available memory */
-#define BASE64_MAXBIN (INT_MAX/2 - sizeof(PyStringObject))
+#define BASE64_MAXBIN (INT_MAX/2 - sizeof(PyStringObject) - 3)
 
 static unsigned char table_b2a_base64[] =
 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
@@ -436,8 +436,10 @@
 		return NULL;
 	}
 	
-	/* We're lazy and allocate to much (fixed up later) */
-	if ( (rv=PyString_FromStringAndSize(NULL, bin_len*2)) == NULL )
+	/* We're lazy and allocate too much (fixed up later).
+	   "+3" leaves room for up to two pad characters and a trailing
+	   newline.  Note that 'b' gets encoded as 'Yg==\n' (1 in, 5 out). */
+	if ( (rv=PyString_FromStringAndSize(NULL, bin_len*2 + 3)) == NULL )
 		return NULL;
 	ascii_data = (unsigned char *)PyString_AsString(rv);
commit	1fbb577ee26becacf53b92c53df356aaf227ea73	[log] [tgz]
author	Tim Peters <tim.peters@gmail.com>	Wed Dec 19 04:41:35 2001 +0000
committer	Tim Peters <tim.peters@gmail.com>	Wed Dec 19 04:41:35 2001 +0000
tree	269809974f51b25df90a37f3ee687d66c3c20150
parent	b6d14daa1c48d8938a140a671bcd17cb40cdd54d [diff] [blame]