[2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174)

author: Jay Bosamiya <jaybosamiya@gmail.com> 2017-06-18 16:41:03 (GMT)
committer: Serhiy Storchaka <storchaka@gmail.com> 2017-06-18 16:41:03 (GMT)
commit: c3c9db89273fabc62ea1b48389d9a3000c1c03ae (patch)
tree: 4d82a89c33bb16f5ce99fa49ee7d5604ba211433 /Objects/stringobject.c
parent: 24c2c20873dc800c99d1dabf26419b40cadfe627 (diff)
download: cpython-c3c9db89273fabc62ea1b48389d9a3000c1c03ae.zip
cpython-c3c9db89273fabc62ea1b48389d9a3000c1c03ae.tar.gz
cpython-c3c9db89273fabc62ea1b48389d9a3000c1c03ae.tar.bz2
1 files changed, 7 insertions, 1 deletions
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index c78e193..59d22e7 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,
     char *p, *buf;
     const char *end;
     PyObject *v;
-    Py_ssize_t newlen = recode_encoding ? 4*len:len;
+    Py_ssize_t newlen;
+    /* Check for integer overflow */
+    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+        PyErr_SetString(PyExc_OverflowError, "string is too large");
+        return NULL;
+    }
+    newlen = recode_encoding ? 4*len:len;
     v = PyString_FromStringAndSize((char *)NULL, newlen);
     if (v == NULL)
         return NULL;
author	Jay Bosamiya <jaybosamiya@gmail.com>	2017-06-18 16:41:03 (GMT)
committer	Serhiy Storchaka <storchaka@gmail.com>	2017-06-18 16:41:03 (GMT)
commit	c3c9db89273fabc62ea1b48389d9a3000c1c03ae (patch)
tree	4d82a89c33bb16f5ce99fa49ee7d5604ba211433 /Objects/stringobject.c
parent	24c2c20873dc800c99d1dabf26419b40cadfe627 (diff)
download	cpython-c3c9db89273fabc62ea1b48389d9a3000c1c03ae.zip cpython-c3c9db89273fabc62ea1b48389d9a3000c1c03ae.tar.gz cpython-c3c9db89273fabc62ea1b48389d9a3000c1c03ae.tar.bz2