Skip to content

Commit be8da9c

Browse files
vadmiumvadmium
committed
Issue #27570: Avoid zero-length memcpy() calls with null source pointers
1 parent 799520c commit be8da9c

File tree

5 files changed

+40
-15
lines changed

5 files changed

+40
-15
lines changed

Lib/test/test_array.py

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,14 +38,24 @@ def __init__(self, typecode, newarg=None):
3838
if have_long_long:
3939
typecodes += 'qQ'
4040

41-
class BadConstructorTest(unittest.TestCase):
41+
class MiscTest(unittest.TestCase):
4242

43-
def test_constructor(self):
43+
def test_bad_constructor(self):
4444
self.assertRaises(TypeError, array.array)
4545
self.assertRaises(TypeError, array.array, spam=42)
4646
self.assertRaises(TypeError, array.array, 'xx')
4747
self.assertRaises(ValueError, array.array, 'x')
4848

49+
def test_empty(self):
50+
# Exercise code for handling zero-length arrays
51+
a = array.array('B')
52+
a[:] = a
53+
self.assertEqual(len(a), 0)
54+
self.assertEqual(len(a + a), 0)
55+
self.assertEqual(len(a * 3), 0)
56+
a += a
57+
self.assertEqual(len(a), 0)
58+
4959

5060
# Machine format codes.
5161
#

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,9 @@ Core and Builtins
6767
Library
6868
-------
6969

70+
- Issue #27570: Avoid zero-length memcpy() etc calls with null source
71+
pointers in the "ctypes" and "array" modules.
72+
7073
- Issue #22233: Break email header lines *only* on the RFC specified CR and LF
7174
characters, not on arbitrary unicode line breaks. This also fixes a bug in
7275
HTTP header parsing.

Modules/_ctypes/_ctypes.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1381,8 +1381,10 @@ PyCArrayType_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
13811381
goto error;
13821382
}
13831383
stgdict->shape[0] = length;
1384-
memmove(&stgdict->shape[1], itemdict->shape,
1385-
sizeof(Py_ssize_t) * (stgdict->ndim - 1));
1384+
if (stgdict->ndim > 1) {
1385+
memmove(&stgdict->shape[1], itemdict->shape,
1386+
sizeof(Py_ssize_t) * (stgdict->ndim - 1));
1387+
}
13861388

13871389
itemsize = itemdict->size;
13881390
if (length * itemsize < 0) {

Modules/_ctypes/stgdict.c

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -391,9 +391,11 @@ PyCStructUnionType_update_stgdict(PyObject *type, PyObject *fields, int isStruct
391391
}
392392
memset(stgdict->ffi_type_pointer.elements, 0,
393393
sizeof(ffi_type *) * (basedict->length + len + 1));
394-
memcpy(stgdict->ffi_type_pointer.elements,
395-
basedict->ffi_type_pointer.elements,
396-
sizeof(ffi_type *) * (basedict->length));
394+
if (basedict->length > 0) {
395+
memcpy(stgdict->ffi_type_pointer.elements,
396+
basedict->ffi_type_pointer.elements,
397+
sizeof(ffi_type *) * (basedict->length));
398+
}
397399
ffi_ofs = basedict->length;
398400
} else {
399401
offset = 0;

Modules/arraymodule.c

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -745,8 +745,10 @@ array_slice(arrayobject *a, Py_ssize_t ilow, Py_ssize_t ihigh)
745745
np = (arrayobject *) newarrayobject(&Arraytype, ihigh - ilow, a->ob_descr);
746746
if (np == NULL)
747747
return NULL;
748-
memcpy(np->ob_item, a->ob_item + ilow * a->ob_descr->itemsize,
749-
(ihigh-ilow) * a->ob_descr->itemsize);
748+
if (ihigh > ilow) {
749+
memcpy(np->ob_item, a->ob_item + ilow * a->ob_descr->itemsize,
750+
(ihigh-ilow) * a->ob_descr->itemsize);
751+
}
750752
return (PyObject *)np;
751753
}
752754

@@ -804,9 +806,13 @@ array_concat(arrayobject *a, PyObject *bb)
804806
if (np == NULL) {
805807
return NULL;
806808
}
807-
memcpy(np->ob_item, a->ob_item, Py_SIZE(a)*a->ob_descr->itemsize);
808-
memcpy(np->ob_item + Py_SIZE(a)*a->ob_descr->itemsize,
809-
b->ob_item, Py_SIZE(b)*b->ob_descr->itemsize);
809+
if (Py_SIZE(a) > 0) {
810+
memcpy(np->ob_item, a->ob_item, Py_SIZE(a)*a->ob_descr->itemsize);
811+
}
812+
if (Py_SIZE(b) > 0) {
813+
memcpy(np->ob_item + Py_SIZE(a)*a->ob_descr->itemsize,
814+
b->ob_item, Py_SIZE(b)*b->ob_descr->itemsize);
815+
}
810816
return (PyObject *)np;
811817
#undef b
812818
}
@@ -826,7 +832,7 @@ array_repeat(arrayobject *a, Py_ssize_t n)
826832
np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);
827833
if (np == NULL)
828834
return NULL;
829-
if (n == 0)
835+
if (size == 0)
830836
return (PyObject *)np;
831837
oldbytes = Py_SIZE(a) * a->ob_descr->itemsize;
832838
newbytes = oldbytes * n;
@@ -985,8 +991,10 @@ array_do_extend(arrayobject *self, PyObject *bb)
985991
size = oldsize + Py_SIZE(b);
986992
if (array_resize(self, size) == -1)
987993
return -1;
988-
memcpy(self->ob_item + oldsize * self->ob_descr->itemsize,
989-
b->ob_item, bbsize * b->ob_descr->itemsize);
994+
if (bbsize > 0) {
995+
memcpy(self->ob_item + oldsize * self->ob_descr->itemsize,
996+
b->ob_item, bbsize * b->ob_descr->itemsize);
997+
}
990998

991999
return 0;
9921000
#undef b

0 commit comments

Comments
 (0)