Skip to content

Commit e26fb3a

Browse files
tomlogicdpgeorge
tomlogic
authored and
dpgeorge
committed
py/objstringio: Catch mp_uint_t overflow of stream position in write().
1 parent ed6d254 commit e26fb3a

File tree

1 file changed

+11
-6
lines changed

1 file changed

+11
-6
lines changed

py/objstringio.c

+11-6
Original file line numberDiff line numberDiff line change
@@ -72,22 +72,27 @@ STATIC mp_uint_t stringio_write(mp_obj_t o_in, const void *buf, mp_uint_t size,
7272
(void)errcode;
7373
mp_obj_stringio_t *o = MP_OBJ_TO_PTR(o_in);
7474
check_stringio_is_open(o);
75-
mp_int_t remaining = o->vstr->alloc - o->pos;
75+
mp_uint_t new_pos = o->pos + size;
76+
if (new_pos < size) {
77+
// Writing <size> bytes will overflow o->pos beyond limit of mp_uint_t.
78+
*errcode = MP_EFBIG;
79+
return MP_STREAM_ERROR;
80+
}
7681
mp_uint_t org_len = o->vstr->len;
77-
if ((mp_int_t)size > remaining) {
82+
if (new_pos > o->vstr->alloc) {
7883
// Take all what's already allocated...
7984
o->vstr->len = o->vstr->alloc;
8085
// ... and add more
81-
vstr_add_len(o->vstr, size - remaining);
86+
vstr_add_len(o->vstr, new_pos - o->vstr->alloc);
8287
}
8388
// If there was a seek past EOF, clear the hole
8489
if (o->pos > org_len) {
8590
memset(o->vstr->buf + org_len, 0, o->pos - org_len);
8691
}
8792
memcpy(o->vstr->buf + o->pos, buf, size);
88-
o->pos += size;
89-
if (o->pos > o->vstr->len) {
90-
o->vstr->len = o->pos;
93+
o->pos = new_pos;
94+
if (new_pos > o->vstr->len) {
95+
o->vstr->len = new_pos;
9196
}
9297
return size;
9398
}

0 commit comments

Comments
 (0)