Closes #15910: MD5 and SHA1 crash when "updated" with strings bigger than 2**32 bytes

2 files changed, 30 insertions, 4 deletions

diff --git a/Modules/md5module.c b/Modules/md5module.c
index 3461623..103da14 100644
--- a/Modules/md5module.c
+++ b/Modules/md5module.c
@@ -51,12 +51,25 @@ static PyObject *
 md5_update(md5object *self, PyObject *args)
 {
     Py_buffer view;
+    Py_ssize_t n;
+    unsigned char *buf;
 
     if (!PyArg_ParseTuple(args, "s*:update", &view))
         return NULL;
 
-    md5_append(&self->md5, (unsigned char*)view.buf,
-               Py_SAFE_DOWNCAST(view.len, Py_ssize_t, unsigned int));
+    n = view.len;
+    buf = (unsigned char *) view.buf;
+    while (n > 0) {
+        Py_ssize_t nbytes;
+        if (n > INT_MAX)
+            nbytes = INT_MAX;
+        else
+            nbytes = n;
+        md5_append(&self->md5, buf,
+                   Py_SAFE_DOWNCAST(nbytes, Py_ssize_t, unsigned int));
+        buf += nbytes;
+        n -= nbytes;
+    }
 
     PyBuffer_Release(&view);
     Py_RETURN_NONE;
diff --git a/Modules/shamodule.c b/Modules/shamodule.c
index df73441..656208d 100644
--- a/Modules/shamodule.c
+++ b/Modules/shamodule.c
@@ -429,12 +429,25 @@ static PyObject *
 SHA_update(SHAobject *self, PyObject *args)
 {
     Py_buffer view;
+    Py_ssize_t n;
+    unsigned char *buf;
 
     if (!PyArg_ParseTuple(args, "s*:update", &view))
         return NULL;
 
-    sha_update(self, (unsigned char*)view.buf,
-               Py_SAFE_DOWNCAST(view.len, Py_ssize_t, unsigned int));
+    n = view.len;
+    buf = (unsigned char *) view.buf;
+    while (n > 0) {
+        Py_ssize_t nbytes;
+        if (n > INT_MAX)
+            nbytes = INT_MAX;
+        else
+            nbytes = n;
+        sha_update(self, buf,
+                   Py_SAFE_DOWNCAST(nbytes, Py_ssize_t, unsigned int));
+        buf += nbytes;
+        n -= nbytes;
+    }
 
     PyBuffer_Release(&view);
     Py_RETURN_NONE;