Issue #27473: Fixed possible integer overflow in bytes and bytearray

concatenations. Patch by Xiang Zhang.
author: Serhiy Storchaka <storchaka@gmail.com> 2016-07-10 17:48:43 (GMT)
committer: Serhiy Storchaka <storchaka@gmail.com> 2016-07-10 17:48:43 (GMT)
commit: 06cfb0cd7037795cc7dca2729a241ed2a1fb1628 (patch)
tree: bad810ee3e949b78287631096ea2fe6e444c927b /Objects/bytesobject.c
parent: 537ad7ad9fdefa44fdfd7f5cbee198ad381deb60 (diff)
download: cpython-06cfb0cd7037795cc7dca2729a241ed2a1fb1628.zip
cpython-06cfb0cd7037795cc7dca2729a241ed2a1fb1628.tar.gz
cpython-06cfb0cd7037795cc7dca2729a241ed2a1fb1628.tar.bz2
1 files changed, 2 insertions, 4 deletions
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index c2aa65c..5934336 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -1265,7 +1265,6 @@ bytes_length(PyBytesObject *a)
 static PyObject *
 bytes_concat(PyObject *a, PyObject *b)
 {
-    Py_ssize_t size;
     Py_buffer va, vb;
     PyObject *result = NULL;
 
@@ -1290,13 +1289,12 @@ bytes_concat(PyObject *a, PyObject *b)
         goto done;
     }
 
-    size = va.len + vb.len;
-    if (size < 0) {
+    if (va.len > PY_SSIZE_T_MAX - vb.len) {
         PyErr_NoMemory();
         goto done;
     }
 
-    result = PyBytes_FromStringAndSize(NULL, size);
+    result = PyBytes_FromStringAndSize(NULL, va.len + vb.len);
     if (result != NULL) {
         memcpy(PyBytes_AS_STRING(result), va.buf, va.len);
         memcpy(PyBytes_AS_STRING(result) + va.len, vb.buf, vb.len);
author	Serhiy Storchaka <storchaka@gmail.com>	2016-07-10 17:48:43 (GMT)
committer	Serhiy Storchaka <storchaka@gmail.com>	2016-07-10 17:48:43 (GMT)
commit	06cfb0cd7037795cc7dca2729a241ed2a1fb1628 (patch)
tree	bad810ee3e949b78287631096ea2fe6e444c927b /Objects/bytesobject.c
parent	537ad7ad9fdefa44fdfd7f5cbee198ad381deb60 (diff)
download	cpython-06cfb0cd7037795cc7dca2729a241ed2a1fb1628.zip cpython-06cfb0cd7037795cc7dca2729a241ed2a1fb1628.tar.gz cpython-06cfb0cd7037795cc7dca2729a241ed2a1fb1628.tar.bz2