Fix out of bounds read in long_new() for empty bytes with an explicit base. int(b'', somebase) calls PyLong_FromString() with char* of length 1 but the function accesses the first argument at offset 1. CID 715359

tiran · tiran · commit 7ae251a02566 · 2012-09-12T15:32:06.000+02:00
diff --git a/Objects/longobject.c b/Objects/longobject.c
@@ -4285,8 +4285,8 @@ long_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
             string = PyByteArray_AS_STRING(x);
         else
             string = PyBytes_AS_STRING(x);
-        if (strlen(string) != (size_t)size) {
-            /* We only see this if there's a null byte in x,
+        if (strlen(string) != (size_t)size || !size) {
+            /* We only see this if there's a null byte in x or x is empty,
                x is a bytes or buffer, *and* a base is given. */
             PyErr_Format(PyExc_ValueError,
                          "invalid literal for int() with base %d: %R",
