Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()

serhiy-storchaka · serhiy-storchaka · commit 22805ca54e1e · 2016-09-27T00:14:24.000+03:00
if pass invalid string-like object as a name.  Patch by Xiang Zhang.
diff --git a/Lib/sqlite3/test/hooks.py b/Lib/sqlite3/test/hooks.py
@@ -25,6 +25,11 @@
 import sqlite3 as sqlite
 
 class CollationTests(unittest.TestCase):
+    def CheckCreateCollationNotString(self):
+        con = sqlite.connect(":memory:")
+        with self.assertRaises(TypeError):
+            con.create_collation(None, lambda x, y: (x > y) - (x < y))
+
     def CheckCreateCollationNotCallable(self):
         con = sqlite.connect(":memory:")
         with self.assertRaises(TypeError) as cm:
@@ -36,6 +41,23 @@ def CheckCreateCollationNotAscii(self):
         with self.assertRaises(sqlite.ProgrammingError):
             con.create_collation("coll�", lambda x, y: (x > y) - (x < y))
 
+    def CheckCreateCollationBadUpper(self):
+        class BadUpperStr(str):
+            def upper(self):
+                return None
+        con = sqlite.connect(":memory:")
+        mycoll = lambda x, y: -((x > y) - (x < y))
+        con.create_collation(BadUpperStr("mycoll"), mycoll)
+        result = con.execute("""
+            select x from (
+            select 'a' as x
+            union
+            select 'b' as x
+            ) order by x collate mycoll
+            """).fetchall()
+        self.assertEqual(result[0][0], 'b')
+        self.assertEqual(result[1][0], 'a')
+
     @unittest.skipIf(sqlite.sqlite_version_info < (3, 2, 1),
                      'old SQLite versions crash on this test')
     def CheckCollationIsUsed(self):
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -41,6 +41,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()
+  if pass invalid string-like object as a name.  Patch by Xiang Zhang.
+
 - Issue #18893: Fix invalid exception handling in Lib/ctypes/macholib/dyld.py.
   Patch by Madison May.
 
diff --git a/Modules/_sqlite/connection.c b/Modules/_sqlite/connection.c
@@ -1498,11 +1498,13 @@ pysqlite_connection_create_collation(pysqlite_Connection* self, PyObject* args)
         goto finally;
     }
 
-    if (!PyArg_ParseTuple(args, "O!O:create_collation(name, callback)", &PyUnicode_Type, &name, &callable)) {
+    if (!PyArg_ParseTuple(args, "UO:create_collation(name, callback)",
+                          &name, &callable)) {
         goto finally;
     }
 
-    uppercase_name = _PyObject_CallMethodId(name, &PyId_upper, NULL);
+    uppercase_name = _PyObject_CallMethodIdObjArgs((PyObject *)&PyUnicode_Type,
+                                                   &PyId_upper, name, NULL);
     if (!uppercase_name) {
         goto finally;
     }

Original file line number	Diff line number	Diff line change
`@@ -1498,11 +1498,13 @@ pysqlite_connection_create_collation(pysqlite_Connection* self, PyObject* args)`
`1498`	`1498`	`goto finally;`
`1499`	`1499`	`}`
`1500`	`1500`
`1501`		`- if (!PyArg_ParseTuple(args, "O!O:create_collation(name, callback)", &PyUnicode_Type, &name, &callable)) {`
	`1501`	`+ if (!PyArg_ParseTuple(args, "UO:create_collation(name, callback)",`
	`1502`	`+ &name, &callable)) {`
`1502`	`1503`	`goto finally;`
`1503`	`1504`	`}`
`1504`	`1505`
`1505`		`- uppercase_name = _PyObject_CallMethodId(name, &PyId_upper, NULL);`
	`1506`	`+ uppercase_name = _PyObject_CallMethodIdObjArgs((PyObject *)&PyUnicode_Type,`
	`1507`	`+ &PyId_upper, name, NULL);`
`1506`	`1508`	`if (!uppercase_name) {`
`1507`	`1509`	`goto finally;`
`1508`	`1510`	`}`