diff options
author | Serhiy Storchaka <storchaka@gmail.com> | 2015-02-20 19:34:39 (GMT) |
---|---|---|
committer | Serhiy Storchaka <storchaka@gmail.com> | 2015-02-20 19:34:39 (GMT) |
commit | 78a82491277bc4ed3058757857abffd6119aea8e (patch) | |
tree | e1a79bb65641e31db6818e129ec1eae7387a6615 | |
parent | d6712137444820e2ac15e07ce932e1bb15330359 (diff) | |
parent | e55181f517bbfc875065ce86ed3e05cf0e0246fa (diff) | |
download | cpython-78a82491277bc4ed3058757857abffd6119aea8e.zip cpython-78a82491277bc4ed3058757857abffd6119aea8e.tar.gz cpython-78a82491277bc4ed3058757857abffd6119aea8e.tar.bz2 |
Issue #23490: Fixed possible crashes related to interoperability between
old-style and new API for string with 2**30-1 characters.
-rw-r--r-- | Objects/unicodeobject.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 8919844..8605c92 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -1535,6 +1535,10 @@ _PyUnicode_Ready(PyObject *unicode) /* in case the native representation is 2-bytes, we need to allocate a new normalized 4-byte version. */ length_wo_surrogates = _PyUnicode_WSTR_LENGTH(unicode) - num_surrogates; + if (length_wo_surrogates > PY_SSIZE_T_MAX / 4 - 1) { + PyErr_NoMemory(); + return -1; + } _PyUnicode_DATA_ANY(unicode) = PyObject_MALLOC(4 * (length_wo_surrogates + 1)); if (!_PyUnicode_DATA_ANY(unicode)) { PyErr_NoMemory(); @@ -3811,6 +3815,11 @@ PyUnicode_AsUnicodeAndSize(PyObject *unicode, Py_ssize_t *size) #endif } else { + if ((size_t)_PyUnicode_LENGTH(unicode) > + PY_SSIZE_T_MAX / sizeof(wchar_t) - 1) { + PyErr_NoMemory(); + return NULL; + } _PyUnicode_WSTR(unicode) = (wchar_t *) PyObject_MALLOC(sizeof(wchar_t) * (_PyUnicode_LENGTH(unicode) + 1)); if (!_PyUnicode_WSTR(unicode)) { |