merge 3.3 (closes #27760)

author: Benjamin Peterson <benjamin@python.org> 2016-08-14 01:36:55 (GMT)
committer: Benjamin Peterson <benjamin@python.org> 2016-08-14 01:36:55 (GMT)
commit: 5295532adb9d33970dd0f3370ab45c4e3bc3757c (patch)
tree: 80169a92b70fd8dce05390a2a0f9ef7c6adee6af
parent: 40a77c33819606b40ca04f680a06fcf31e2151a6 (diff)
parent: 4f976513efd8d411126e09d036842d0691c49c82 (diff)
download: cpython-5295532adb9d33970dd0f3370ab45c4e3bc3757c.zip
cpython-5295532adb9d33970dd0f3370ab45c4e3bc3757c.tar.gz
cpython-5295532adb9d33970dd0f3370ab45c4e3bc3757c.tar.bz2
2 files changed, 17 insertions, 9 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index ca80c73..4e457f0 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,8 @@ Library
 - In the curses module, raise an error if window.getstr() is passed a negative
   value.
 
+- Issue #27760: Fix possible integer overflow in binascii.b2a_qp.
+
 - Issue #27758: Fix possible integer overflow in the _csv module for large record
   lengths.
 
diff --git a/Modules/binascii.c b/Modules/binascii.c
index ea14d3c..c9309ce 100644
--- a/Modules/binascii.c
+++ b/Modules/binascii.c
@@ -1408,6 +1408,7 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is
     /* First, scan to see how many characters need to be encoded */
     in = 0;
     while (in < datalen) {
+        Py_ssize_t delta = 0;
         if ((databuf[in] > 126) ||
             (databuf[in] == '=') ||
             (header && databuf[in] == '_') ||
@@ -1422,12 +1423,12 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is
             if ((linelen + 3) >= MAXLINESIZE) {
                 linelen = 0;
                 if (crlf)
-                    odatalen += 3;
+                    delta += 3;
                 else
-                    odatalen += 2;
+                    delta += 2;
             }
             linelen += 3;
-            odatalen += 3;
+            delta += 3;
             in++;
         }
         else {
@@ -1439,11 +1440,11 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is
                 linelen = 0;
                 /* Protect against whitespace on end of line */
                 if (in && ((databuf[in-1] == ' ') || (databuf[in-1] == '\t')))
-                    odatalen += 2;
+                    delta += 2;
                 if (crlf)
-                    odatalen += 2;
+                    delta += 2;
                 else
-                    odatalen += 1;
+                    delta += 1;
                 if (databuf[in] == '\r')
                     in += 2;
                 else
@@ -1455,15 +1456,20 @@ binascii_b2a_qp_impl(PyModuleDef *module, Py_buffer *data, int quotetabs, int is
                     (linelen + 1) >= MAXLINESIZE) {
                     linelen = 0;
                     if (crlf)
-                        odatalen += 3;
+                        delta += 3;
                     else
-                        odatalen += 2;
+                        delta += 2;
                 }
                 linelen++;
-                odatalen++;
+                delta++;
                 in++;
             }
         }
+        if (PY_SSIZE_T_MAX - delta < odatalen) {
+            PyErr_NoMemory();
+            return NULL;
+        }
+        odatalen += delta;
     }
 
     /* We allocate the output same size as input, this is overkill.
author	Benjamin Peterson <benjamin@python.org>	2016-08-14 01:36:55 (GMT)
committer	Benjamin Peterson <benjamin@python.org>	2016-08-14 01:36:55 (GMT)
commit	5295532adb9d33970dd0f3370ab45c4e3bc3757c (patch)
tree	80169a92b70fd8dce05390a2a0f9ef7c6adee6af
parent	40a77c33819606b40ca04f680a06fcf31e2151a6 (diff)
parent	4f976513efd8d411126e09d036842d0691c49c82 (diff)
download	cpython-5295532adb9d33970dd0f3370ab45c4e3bc3757c.zip cpython-5295532adb9d33970dd0f3370ab45c4e3bc3757c.tar.gz cpython-5295532adb9d33970dd0f3370ab45c4e3bc3757c.tar.bz2