summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Peterson <benjamin@python.org>2015-01-04 22:03:17 (GMT)
committerBenjamin Peterson <benjamin@python.org>2015-01-04 22:03:17 (GMT)
commitf18bf6fd2d2f0d7db6a5e5b4d86b709dd2b5ce6d (patch)
treea0a31095c331e136dc8f4613c35605fbca54aa7b
parent47e782a67a79e7d4fdc4536c6d6935c0e3b45705 (diff)
downloadcpython-f18bf6fd2d2f0d7db6a5e5b4d86b709dd2b5ce6d.zip
cpython-f18bf6fd2d2f0d7db6a5e5b4d86b709dd2b5ce6d.tar.gz
cpython-f18bf6fd2d2f0d7db6a5e5b4d86b709dd2b5ce6d.tar.bz2
add some overflow checks before multiplying (closes #23165)
-rw-r--r--Misc/NEWS3
-rw-r--r--Python/fileutils.c16
2 files changed, 16 insertions, 3 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 3cff3cd..e841862 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.2.6?
Core and Builtins
-----------------
+- Issue #23165: Perform overflow checks before allocating memory in the
+ _Py_char2wchar function.
+
- Issue #19529: Fix a potential crash in converting Unicode objects to wchar_t
when Py_UNICODE is 4 bytes but wchar_t is 2 bytes, for example on AIX.
diff --git a/Python/fileutils.c b/Python/fileutils.c
index 53e8a47..7d08e07 100644
--- a/Python/fileutils.c
+++ b/Python/fileutils.c
@@ -169,8 +169,11 @@ decode_ascii_surrogateescape(const char *arg, size_t *size)
wchar_t *res;
unsigned char *in;
wchar_t *out;
+ size_t argsize = strlen(arg) + 1;
- res = PyMem_Malloc((strlen(arg)+1)*sizeof(wchar_t));
+ if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t))
+ return NULL;
+ res = PyMem_Malloc(argsize*sizeof(wchar_t));
if (!res)
return NULL;
@@ -250,10 +253,15 @@ _Py_char2wchar(const char* arg, size_t *size)
argsize = mbstowcs(NULL, arg, 0);
#endif
if (argsize != (size_t)-1) {
- res = (wchar_t *)PyMem_Malloc((argsize+1)*sizeof(wchar_t));
+ if (argsize == PY_SSIZE_T_MAX)
+ goto oom;
+ argsize += 1;
+ if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t))
+ goto oom;
+ res = (wchar_t *)PyMem_Malloc(argsize*sizeof(wchar_t));
if (!res)
goto oom;
- count = mbstowcs(res, arg, argsize+1);
+ count = mbstowcs(res, arg, argsize);
if (count != (size_t)-1) {
wchar_t *tmp;
/* Only use the result if it contains no
@@ -276,6 +284,8 @@ _Py_char2wchar(const char* arg, size_t *size)
/* Overallocate; as multi-byte characters are in the argument, the
actual output could use less memory. */
argsize = strlen(arg) + 1;
+ if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t))
+ goto oom;
res = (wchar_t*)PyMem_Malloc(argsize*sizeof(wchar_t));
if (!res)
goto oom;