diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2017-07-11 04:43:36 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-07-11 04:43:36 (GMT) |
| commit | 44eb51e6fcf45f3c2bf21c16e18c4da48a23d2d3 (patch) | |
| tree | f47f9790fab606bb6cf34151f84395f34d7781ad /Objects | |
| parent | 7527c32f5fedc3260d767900f1014495c0a1b7a5 (diff) | |
| download | cpython-44eb51e6fcf45f3c2bf21c16e18c4da48a23d2d3.zip cpython-44eb51e6fcf45f3c2bf21c16e18c4da48a23d2d3.tar.gz cpython-44eb51e6fcf45f3c2bf21c16e18c4da48a23d2d3.tar.bz2 | |
[3.5] bpo-22207: Add checks for possible integer overflows in unicodeobject.c. (GH-2623) (#2659)
Based on patch by Victor Stinner.
(cherry picked from commit 64e461be09e23705ecbab43a8b01722186641f71)
Diffstat (limited to 'Objects')
| -rw-r--r-- | Objects/unicodeobject.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 66cb4af..571cd77 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -5209,13 +5209,12 @@ _PyUnicode_EncodeUTF32(PyObject *str, /* four bytes are reserved for each surrogate */ if (moreunits > 1) { Py_ssize_t outpos = out - (PY_UINT32_T*) PyBytes_AS_STRING(v); - Py_ssize_t morebytes = 4 * (moreunits - 1); - if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) { + if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 4) { /* integer overflow */ PyErr_NoMemory(); goto error; } - if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0) + if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 4 * (moreunits - 1)) < 0) goto error; out = (PY_UINT32_T*) PyBytes_AS_STRING(v) + outpos; } @@ -5552,13 +5551,12 @@ _PyUnicode_EncodeUTF16(PyObject *str, /* two bytes are reserved for each surrogate */ if (moreunits > 1) { Py_ssize_t outpos = out - (unsigned short*) PyBytes_AS_STRING(v); - Py_ssize_t morebytes = 2 * (moreunits - 1); - if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) { + if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 2) { /* integer overflow */ PyErr_NoMemory(); goto error; } - if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0) + if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 2 * (moreunits - 1)) < 0) goto error; out = (unsigned short*) PyBytes_AS_STRING(v) + outpos; } @@ -6250,6 +6248,10 @@ _PyUnicode_DecodeUnicodeInternal(const char *s, 1)) return NULL; + if (size < 0) { + PyErr_BadInternalCall(); + return NULL; + } if (size == 0) _Py_RETURN_UNICODE_EMPTY(); @@ -7052,6 +7054,10 @@ decode_code_page_stateful(int code_page, PyErr_SetString(PyExc_ValueError, "invalid code page number"); return NULL; } + if (size < 0) { + PyErr_BadInternalCall(); + return NULL; + } if (consumed) *consumed = 0; |