vstr_init_len: Don't crash if (size_t)-1 is passed

jepler · jepler · commit 5baaac55ce2b · 2020-01-08T09:42:44.000-06:00
In this unusual case, (len + 1) is zero, the allocation in vstr_init
succeeds (allocating 1 byte), and then the caller is likely to erroneously
access outside the allocated region, for instance with a memset().

This could be triggered with os.urandom(-1) after it was converted to use
mp_obj_new_bytes_of_zeros.
diff --git a/py/vstr.c b/py/vstr.c
@@ -50,6 +50,8 @@ void vstr_init(vstr_t *vstr, size_t alloc) {
 // Init the vstr so it allocs exactly enough ram to hold a null-terminated
 // string of the given length, and set the length.
 void vstr_init_len(vstr_t *vstr, size_t len) {
+    if(len == SIZE_MAX)
+        m_malloc_fail(len);
     vstr_init(vstr, len + 1);
     vstr->len = len;
 }

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,8 @@ void vstr_init(vstr_t *vstr, size_t alloc) {`
`50`	`50`	`// Init the vstr so it allocs exactly enough ram to hold a null-terminated`
`51`	`51`	`// string of the given length, and set the length.`
`52`	`52`	`void vstr_init_len(vstr_t *vstr, size_t len) {`
	`53`	`+ if(len == SIZE_MAX)`
	`54`	`+ m_malloc_fail(len);`
`53`	`55`	`vstr_init(vstr, len + 1);`
`54`	`56`	`vstr->len = len;`
`55`	`57`	`}`