summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSerhiy Storchaka <storchaka@gmail.com>2015-02-20 19:34:39 (GMT)
committerSerhiy Storchaka <storchaka@gmail.com>2015-02-20 19:34:39 (GMT)
commit78a82491277bc4ed3058757857abffd6119aea8e (patch)
treee1a79bb65641e31db6818e129ec1eae7387a6615
parentd6712137444820e2ac15e07ce932e1bb15330359 (diff)
parente55181f517bbfc875065ce86ed3e05cf0e0246fa (diff)
downloadcpython-78a82491277bc4ed3058757857abffd6119aea8e.zip
cpython-78a82491277bc4ed3058757857abffd6119aea8e.tar.gz
cpython-78a82491277bc4ed3058757857abffd6119aea8e.tar.bz2
Issue #23490: Fixed possible crashes related to interoperability between
old-style and new API for string with 2**30-1 characters.
-rw-r--r--Objects/unicodeobject.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 8919844..8605c92 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -1535,6 +1535,10 @@ _PyUnicode_Ready(PyObject *unicode)
/* in case the native representation is 2-bytes, we need to allocate a
new normalized 4-byte version. */
length_wo_surrogates = _PyUnicode_WSTR_LENGTH(unicode) - num_surrogates;
+ if (length_wo_surrogates > PY_SSIZE_T_MAX / 4 - 1) {
+ PyErr_NoMemory();
+ return -1;
+ }
_PyUnicode_DATA_ANY(unicode) = PyObject_MALLOC(4 * (length_wo_surrogates + 1));
if (!_PyUnicode_DATA_ANY(unicode)) {
PyErr_NoMemory();
@@ -3811,6 +3815,11 @@ PyUnicode_AsUnicodeAndSize(PyObject *unicode, Py_ssize_t *size)
#endif
}
else {
+ if ((size_t)_PyUnicode_LENGTH(unicode) >
+ PY_SSIZE_T_MAX / sizeof(wchar_t) - 1) {
+ PyErr_NoMemory();
+ return NULL;
+ }
_PyUnicode_WSTR(unicode) = (wchar_t *) PyObject_MALLOC(sizeof(wchar_t) *
(_PyUnicode_LENGTH(unicode) + 1));
if (!_PyUnicode_WSTR(unicode)) {