summaryrefslogtreecommitdiffstats
path: root/Objects/stringobject.c
diff options
context:
space:
mode:
Diffstat (limited to 'Objects/stringobject.c')
-rw-r--r--Objects/stringobject.c19
1 files changed, 17 insertions, 2 deletions
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index f7c3f4b..eee3551 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -393,16 +393,31 @@ string_repeat(register PyStringObject *a, register int n)
register int i;
register int size;
register PyStringObject *op;
+ size_t nbytes;
if (n < 0)
n = 0;
+ /* watch out for overflows: the size can overflow int,
+ * and the # of bytes needed can overflow size_t
+ */
size = a->ob_size * n;
+ if (n && size / n != a->ob_size) {
+ PyErr_SetString(PyExc_OverflowError,
+ "repeated string is too long");
+ return NULL;
+ }
if (size == a->ob_size) {
Py_INCREF(a);
return (PyObject *)a;
}
- /* PyObject_NewVar is inlined */
+ nbytes = size * sizeof(char);
+ if (nbytes / sizeof(char) != (size_t)size ||
+ nbytes + sizeof(PyStringObject) <= nbytes) {
+ PyErr_SetString(PyExc_OverflowError,
+ "repeated string is too long");
+ return NULL;
+ }
op = (PyStringObject *)
- PyObject_MALLOC(sizeof(PyStringObject) + size * sizeof(char));
+ PyObject_MALLOC(sizeof(PyStringObject) + nbytes);
if (op == NULL)
return PyErr_NoMemory();
PyObject_INIT_VAR(op, &PyString_Type, size);
generated by cgit v0.12 at 2024-11-19 02:08:05 (GMT)