diff options
author | Benjamin Peterson <benjamin@python.org> | 2015-01-04 22:03:59 (GMT) |
---|---|---|
committer | Benjamin Peterson <benjamin@python.org> | 2015-01-04 22:03:59 (GMT) |
commit | 72c2a0f60a7f15d89a53d96804312c353be7fdf2 (patch) | |
tree | 5688fcd760bbeac780c7111afbfc62396fc9cb92 | |
parent | 7919acb9202e1b4cf703d54a9346b980f8885a29 (diff) | |
parent | f18bf6fd2d2f0d7db6a5e5b4d86b709dd2b5ce6d (diff) | |
download | cpython-72c2a0f60a7f15d89a53d96804312c353be7fdf2.zip cpython-72c2a0f60a7f15d89a53d96804312c353be7fdf2.tar.gz cpython-72c2a0f60a7f15d89a53d96804312c353be7fdf2.tar.bz2 |
merge 3.2 (closes #23165)
-rw-r--r-- | Misc/NEWS | 3 | ||||
-rw-r--r-- | Python/fileutils.c | 16 |
2 files changed, 16 insertions, 3 deletions
@@ -23,6 +23,9 @@ Core and Builtins - Issue #22518: Fix integer overflow issues in latin-1 encoding. +- Issue #23165: Perform overflow checks before allocating memory in the + _Py_char2wchar function. + Library ------- diff --git a/Python/fileutils.c b/Python/fileutils.c index d25111f..5c66ecf 100644 --- a/Python/fileutils.c +++ b/Python/fileutils.c @@ -201,8 +201,11 @@ decode_ascii_surrogateescape(const char *arg, size_t *size) wchar_t *res; unsigned char *in; wchar_t *out; + size_t argsize = strlen(arg) + 1; - res = PyMem_Malloc((strlen(arg)+1)*sizeof(wchar_t)); + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + return NULL; + res = PyMem_Malloc(argsize*sizeof(wchar_t)); if (!res) return NULL; @@ -284,10 +287,15 @@ _Py_char2wchar(const char* arg, size_t *size) argsize = mbstowcs(NULL, arg, 0); #endif if (argsize != (size_t)-1) { - res = (wchar_t *)PyMem_Malloc((argsize+1)*sizeof(wchar_t)); + if (argsize == PY_SSIZE_T_MAX) + goto oom; + argsize += 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; + res = (wchar_t *)PyMem_Malloc(argsize*sizeof(wchar_t)); if (!res) goto oom; - count = mbstowcs(res, arg, argsize+1); + count = mbstowcs(res, arg, argsize); if (count != (size_t)-1) { wchar_t *tmp; /* Only use the result if it contains no @@ -310,6 +318,8 @@ _Py_char2wchar(const char* arg, size_t *size) /* Overallocate; as multi-byte characters are in the argument, the actual output could use less memory. */ argsize = strlen(arg) + 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; res = (wchar_t*)PyMem_Malloc(argsize*sizeof(wchar_t)); if (!res) goto oom; |