From 5baaac55ce2b9fb89c1f395e92f67abb5276ce6f Mon Sep 17 00:00:00 2001 From: Jeff Epler Date: Wed, 8 Jan 2020 09:42:44 -0600 Subject: [PATCH] vstr_init_len: Don't crash if (size_t)-1 is passed In this unusual case, (len + 1) is zero, the allocation in vstr_init succeeds (allocating 1 byte), and then the caller is likely to erroneously access outside the allocated region, for instance with a memset(). This could be triggered with os.urandom(-1) after it was converted to use mp_obj_new_bytes_of_zeros. --- py/vstr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/py/vstr.c b/py/vstr.c index 869b278057..888f7069bb 100644 --- a/py/vstr.c +++ b/py/vstr.c @@ -50,6 +50,8 @@ void vstr_init(vstr_t *vstr, size_t alloc) { // Init the vstr so it allocs exactly enough ram to hold a null-terminated // string of the given length, and set the length. void vstr_init_len(vstr_t *vstr, size_t len) { + if(len == SIZE_MAX) + m_malloc_fail(len); vstr_init(vstr, len + 1); vstr->len = len; }