summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Objects/stringobject.c8
-rw-r--r--Objects/unicodeobject.c8
2 files changed, 12 insertions, 4 deletions
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index 6a9450a..5c5b6ae 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -3319,7 +3319,7 @@ _PyString_Resize(PyObject **pv, int newsize)
register PyObject *v;
register PyStringObject *sv;
v = *pv;
- if (!PyString_Check(v) || v->ob_refcnt != 1) {
+ if (!PyString_Check(v) || v->ob_refcnt != 1 || newsize < 0) {
*pv = 0;
Py_DECREF(v);
PyErr_BadInternalCall();
@@ -3959,10 +3959,14 @@ PyString_Format(PyObject *format, PyObject *args)
}
if (width < len)
width = len;
- if (rescnt < width + (sign != 0)) {
+ if (rescnt - (sign != 0) < width) {
reslen -= rescnt;
rescnt = width + fmtcnt + 100;
reslen += rescnt;
+ if (reslen < 0) {
+ Py_DECREF(result);
+ return PyErr_NoMemory();
+ }
if (_PyString_Resize(&result, reslen) < 0)
return NULL;
res = PyString_AS_STRING(result)
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index eb8ee61..5f9f4a7 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -261,7 +261,7 @@ int PyUnicode_Resize(PyObject **unicode,
return -1;
}
v = (PyUnicodeObject *)*unicode;
- if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1) {
+ if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1 || length < 0) {
PyErr_BadInternalCall();
return -1;
}
@@ -6483,10 +6483,14 @@ PyObject *PyUnicode_Format(PyObject *format,
}
if (width < len)
width = len;
- if (rescnt < width + (sign != 0)) {
+ if (rescnt - (sign != 0) < width) {
reslen -= rescnt;
rescnt = width + fmtcnt + 100;
reslen += rescnt;
+ if (reslen < 0) {
+ Py_DECREF(result);
+ return PyErr_NoMemory();
+ }
if (_PyUnicode_Resize(&result, reslen) < 0)
return NULL;
res = PyUnicode_AS_UNICODE(result)