bpo-30245: Fix possible overflow when organize struct.pack_into error message (python#1682)

johanliu · zhangyangyu · commit aead53b6ee27 · 2017-06-02T14:33:04.000+08:00
diff --git a/Lib/test/test_struct.py b/Lib/test/test_struct.py
@@ -599,6 +599,16 @@ def test_boundary_error_message_with_negative_offset(self):
                 'offset -11 out of range for 10-byte buffer'):
             struct.pack_into('<B', byte_list, -11, 123)
 
+    def test_boundary_error_message_with_large_offset(self):
+        # Test overflows cause by large offset and value size (issue 30245)
+        regex = (
+            r'pack_into requires a buffer of at least ' + str(sys.maxsize + 4) +
+            r' bytes for packing 4 bytes at offset ' + str(sys.maxsize) +
+            r' \(actual buffer size is 10\)'
+        )
+        with self.assertRaisesRegex(struct.error, regex):
+            struct.pack_into('<I', bytearray(10), sys.maxsize, 1)
+
     def test_issue29802(self):
         # When the second argument of struct.unpack() was of wrong type
         # the Struct object was decrefed twice and the reference to
diff --git a/Misc/ACKS b/Misc/ACKS
@@ -921,6 +921,7 @@ Gregor Lingl
 Everett Lipman
 Mirko Liss
 Alexander Liu
+Yuan Liu
 Nick Lockwood
 Stephanie Lockwood
 Martin von Löwis
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -345,6 +345,9 @@ Extension Modules
 Library
 -------
 
+- bpo-30245: Fix possible overflow when organize struct.pack_into
+  error message.  Patch by Yuan Liu.
+  
 - bpo-30378: Fix the problem that logging.handlers.SysLogHandler cannot
   handle IPv6 addresses.
 
diff --git a/Modules/_struct.c b/Modules/_struct.c
@@ -1929,11 +1929,14 @@ s_pack_into(PyObject *self, PyObject **args, Py_ssize_t nargs, PyObject *kwnames
 
     /* Check boundaries */
     if ((buffer.len - offset) < soself->s_size) {
+        assert(offset >= 0);
+        assert(soself->s_size >= 0);
+
         PyErr_Format(StructError,
-                     "pack_into requires a buffer of at least %zd bytes for "
+                     "pack_into requires a buffer of at least %zu bytes for "
                      "packing %zd bytes at offset %zd "
                      "(actual buffer size is %zd)",
-                     soself->s_size + offset,
+                     (size_t)soself->s_size + (size_t)offset,
                      soself->s_size,
                      offset,
                      buffer.len);
