Ramin Farajpour Cami added the comment:
static char *
mymemreplace(const char *str, Py_ssize_t len,
const char *pat, Py_ssize_t pat_len, pattern string to find
*/
const char *sub, Py_ssize_t sub_len, substitution string */
Py_ssize_t count, number of replacements
*/
Py_ssize_t *out_len)
{
[...]
new_len = len + nfound*(sub_len - pat_len); <<<< Unchecked arithmetic can
overflow here.
if (new_len == 0) {
/* Have to allocate something for the caller to free(). */
out_s = (char *)PyMem_MALLOC(1);
if (out_s == NULL)
return NULL;
out_s[0] = '\0';
}
else {
assert(new_len > 0);
new_s = (char *)PyMem_MALLOC(new_len); <<<< An allocation is performed
using overflowed value.
if (new_s == NULL)
return NULL;
out_s = new_s;
for (; count > 0 && len > 0; --count) { <<<< Memory is copied to new_s
using len, which can be greater than the overflowed new_len value.
/* find index of next instance of pattern */
offset = mymemfind(str, len, pat, pat_len);
if (offset == -1)
break;
/* copy non matching part of input string */
memcpy(new_s, str, offset);
str += offset + pat_len;
len -= offset + pat_len;
/* copy substitute into the output string */
new_s += offset;
memcpy(new_s, sub, sub_len);
new_s += sub_len;
}
/* copy any remaining values into output string */
if (len > 0)
memcpy(new_s, str, len);
}
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue26059>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
