diff options
-rw-r--r-- | Misc/NEWS | 2 | ||||
-rw-r--r-- | Modules/unicodedata.c | 13 |
2 files changed, 12 insertions, 3 deletions
@@ -78,6 +78,8 @@ Library - Issue #23421: Fixed compression in tarfile CLI. Patch by wdv4758h. +- Issue #23367: Fix possible overflows in the unicodedata module. + - Issue #23361: Fix possible overflow in Windows subprocess creation code. - logging.handlers.QueueListener now takes a respect_handler_level keyword diff --git a/Modules/unicodedata.c b/Modules/unicodedata.c index 47d2937..507cef3 100644 --- a/Modules/unicodedata.c +++ b/Modules/unicodedata.c @@ -553,10 +553,17 @@ nfd_nfkd(PyObject *self, PyObject *input, int k) stackptr = 0; isize = PyUnicode_GET_LENGTH(input); + space = isize; /* Overallocate at most 10 characters. */ - space = (isize > 10 ? 10 : isize) + isize; + if (space > 10) { + if (space <= PY_SSIZE_T_MAX - 10) + space += 10; + } + else { + space *= 2; + } osize = space; - output = PyMem_New(Py_UCS4, space); + output = PyMem_NEW(Py_UCS4, space); if (!output) { PyErr_NoMemory(); return NULL; @@ -703,7 +710,7 @@ nfc_nfkc(PyObject *self, PyObject *input, int k) /* We allocate a buffer for the output. If we find that we made no changes, we still return the NFD result. */ - output = PyMem_New(Py_UCS4, len); + output = PyMem_NEW(Py_UCS4, len); if (!output) { PyErr_NoMemory(); Py_DECREF(result); |