Merged revisions 70682 via svnmerge from svn+ssh://pythondev@svn.python.org/python/trunk ........ r70682 | mark.dickinson | 2009-03-29 17:17:16 +0100 (Sun, 29 Mar 2009) | 3 lines Issue #532631: Add paranoid check to avoid potential buffer overflow on systems with sizeof(int) > 4. ........

commit: 87886195405dd28f259f839d2c4410b0309077b9 [log] [tgz]
author: Mark Dickinson <dickinsm@gmail.com> Sun Mar 29 16:18:33 2009 +0000
committer: Mark Dickinson <dickinsm@gmail.com> Sun Mar 29 16:18:33 2009 +0000
tree: 1950064a1b81ed749f7ea18578469d6b970d4bc0
parent: a30f349ecf57d7280bf179d6446f8fe5a3dede4f [diff]
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index 84e107b..8916552 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c

@@ -4336,6 +4336,15 @@
 	}
 	if (prec < 0)
 		prec = 6;
+	/* make sure that the decimal representation of precision really does
+	   need at most 10 digits: platforms with sizeof(int) == 8 exist! */
+	if (prec > 0x7fffffffL) {
+		PyErr_SetString(PyExc_OverflowError,
+				"outrageously large precision "
+				"for formatted float");
+		return -1;
+	}
+
 	if (type == 'f' && fabs(x) >= 1e50)
 		type = 'g';
 	/* Worst case length calc to ensure no buffer overrun:
@@ -4364,7 +4373,7 @@
 	PyOS_snprintf(fmt, sizeof(fmt), "%%%s.%d%c",
 		      (flags&F_ALT) ? "#" : "",
 		      prec, type);
-        PyOS_ascii_formatd(buf, buflen, fmt, x);
+	PyOS_ascii_formatd(buf, buflen, fmt, x);
 	return (int)strlen(buf);
 }
commit	87886195405dd28f259f839d2c4410b0309077b9	[log] [tgz]
author	Mark Dickinson <dickinsm@gmail.com>	Sun Mar 29 16:18:33 2009 +0000
committer	Mark Dickinson <dickinsm@gmail.com>	Sun Mar 29 16:18:33 2009 +0000
tree	1950064a1b81ed749f7ea18578469d6b970d4bc0
parent	a30f349ecf57d7280bf179d6446f8fe5a3dede4f [diff]