Backport r62261 from trunk:

Prevent PyString_FromStringAndSize() from passing negative sizes on to lower
level memory allocation functions.  Raise a SystemError and return NULL
instead.

2 files changed, 13 insertions, 3 deletions

diff --git a/Misc/NEWS b/Misc/NEWS
index 357fa4f..aeee3f8 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -30,13 +30,15 @@ Core and builtins
 - Issue #2238: Some syntax errors in *args and **kwargs expressions could give
   bogus error messages.
 
+- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
+  parameter but was not verifying that it was greater than zero.  Values
+  less than zero will now raise a SystemError and return NULL to indicate a
+  bug in the calling C code.
+
 
 Library
 -------
 
-- zlib.decompressobj().flush(value) no longer crashes the interpreter when
-  passed a value less than or equal to zero.
-
 - Issue #2495: tokenize.untokenize now inserts a space between two consecutive
   string literals; previously, ["" ""] was rendered as [""""], which is
   incorrect python code.
@@ -72,6 +74,9 @@ Library
 Extension Modules
 -----------------
 
+- zlib.decompressobj().flush(value) no longer crashes the interpreter when
+  passed a value less than or equal to zero.
+
 Tests
 -----
 
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index e1e287f..7cd613d 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -54,6 +54,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t size)
 {
 	register PyStringObject *op;
 	assert(size >= 0);
+	if (size < 0) {
+		PyErr_SetString(PyExc_SystemError,
+		    "Negative size passed to PyString_FromStringAndSize");
+		return NULL;
+	}
 	if (size == 0 && (op = nullstring) != NULL) {
 #ifdef COUNT_ALLOCS
 		null_strings++;