Ramin Farajpour Cami added the comment: static char * mymemreplace(const char *str, Py_ssize_t len, const char *pat, Py_ssize_t pat_len, pattern string to find */ const char *sub, Py_ssize_t sub_len, substitution string */ Py_ssize_t count, number of replacements */ Py_ssize_t *out_len) { [...]
new_len = len + nfound*(sub_len - pat_len); <<<< Unchecked arithmetic can overflow here. if (new_len == 0) { /* Have to allocate something for the caller to free(). */ out_s = (char *)PyMem_MALLOC(1); if (out_s == NULL) return NULL; out_s[0] = '\0'; } else { assert(new_len > 0); new_s = (char *)PyMem_MALLOC(new_len); <<<< An allocation is performed using overflowed value. if (new_s == NULL) return NULL; out_s = new_s; for (; count > 0 && len > 0; --count) { <<<< Memory is copied to new_s using len, which can be greater than the overflowed new_len value. /* find index of next instance of pattern */ offset = mymemfind(str, len, pat, pat_len); if (offset == -1) break; /* copy non matching part of input string */ memcpy(new_s, str, offset); str += offset + pat_len; len -= offset + pat_len; /* copy substitute into the output string */ new_s += offset; memcpy(new_s, sub, sub_len); new_s += sub_len; } /* copy any remaining values into output string */ if (len > 0) memcpy(new_s, str, len); } ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26059> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com