Issue #18025: Fixed a segfault in io.BufferedIOBase.readinto() when raw

serhiy-storchaka · serhiy-storchaka · commit 281945f42720 · 2013-05-28T16:27:08.000+03:00
stream's read() returns more bytes than requested.
diff --git a/Lib/test/test_io.py b/Lib/test/test_io.py
@@ -3027,6 +3027,15 @@ def test_open_allargs(self):
 class CMiscIOTest(MiscIOTest):
     io = io
 
+    def test_readinto_buffer_overflow(self):
+        # Issue #18025
+        class BadReader(self.io.BufferedIOBase):
+            def read(self, n=-1):
+                return b'x' * 10**6
+        bufio = BadReader()
+        b = bytearray(2)
+        self.assertRaises(ValueError, bufio.readinto, b)
+
 class PyMiscIOTest(MiscIOTest):
     io = pyio
 
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -96,6 +96,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #18025: Fixed a segfault in io.BufferedIOBase.readinto() when raw
+  stream's read() returns more bytes than requested.
+
 - Issue #18011: base64.b32decode() now raises a binascii.Error if there are
   non-alphabet characters present in the input string to conform a docstring.
   Updated the module documentation.
diff --git a/Modules/_io/bufferedio.c b/Modules/_io/bufferedio.c
@@ -69,6 +69,14 @@ bufferediobase_readinto(PyObject *self, PyObject *args)
     }
 
     len = Py_SIZE(data);
+    if (len > buf.len) {
+        PyErr_Format(PyExc_ValueError,
+                     "read() returned too much data: "
+                     "%zd bytes requested, %zd returned",
+                     buf.len, len);
+        Py_DECREF(data);
+        goto error;
+    }
     memcpy(buf.buf, PyBytes_AS_STRING(data), len);
 
     PyBuffer_Release(&buf);
