gh-153662: Fix crash when calling io.TextIOWrapper.seek() with malformed cookie#153667
gh-153662: Fix crash when calling io.TextIOWrapper.seek() with malformed cookie#153667ByteFlowing1337 wants to merge 5 commits into
io.TextIOWrapper.seek() with malformed cookie#153667Conversation
| /* Skip chars_to_skip of the decoded characters. */ | ||
| if (PyUnicode_GetLength(self->decoded_chars) < cookie.chars_to_skip) { | ||
| /* gh-153662: Reject negative chars_to_skip*/ | ||
| if (cookie.chars_to_skip < 0 || PyUnicode_GetLength(self->decoded_chars) < cookie.chars_to_skip) { |
There was a problem hiding this comment.
Isn't there a way to have a helper for validating this? what if the chars to skip are way too large? can we hit an overflow somehow?
There was a problem hiding this comment.
I think there can hardly be an overflow.
If chars_to_skip is too large, in normal cases where self->decoded_chars is not that large, it will be rejected by the second condition, and an OSError is raised.
Even in the case that chars_to_skip is as large as INT_MAX and hasn't been rejected, it's later assigned to self->decoded_chars_used, which is a Py_ssize_t which is hard to overflow on 64-bit platforms.
There was a problem hiding this comment.
It may be hard but it can be crafted, as we did in your tests. So if possible, please add some more tests with malformed cookie values.
Uh oh!
There was an error while loading. Please reload this page.