From 6e01d90cc8bfac920bd4f7143b3968a8a21079d9 Mon Sep 17 00:00:00 2001
From: Benjamin Peterson <benjamin@python.org>
Date: Sat, 13 Aug 2016 17:17:06 -0700
Subject: check for overflow in join_append_data (closes #27758)

Reported by Thomas E. Hybel
---
 Misc/NEWS      |  3 +++
 Modules/_csv.c | 23 +++++++++++++++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/Misc/NEWS b/Misc/NEWS
index e9a8f28..c3235de 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -29,6 +29,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #27758: Fix possible integer overflow in the _csv module for large record
+  lengths.
+
 - Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
   HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
   that the script is in CGI mode.
diff --git a/Modules/_csv.c b/Modules/_csv.c
index f5f6e71..dcb671e 100644
--- a/Modules/_csv.c
+++ b/Modules/_csv.c
@@ -1002,11 +1002,19 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data,
     int i;
     Py_ssize_t rec_len;
 
-#define ADDCH(c) \
+#define INCLEN \
+    do {\
+        if (!copy_phase && rec_len == PY_SSIZE_T_MAX) {    \
+            goto overflow; \
+        } \
+        rec_len++; \
+    } while(0)
+
+#define ADDCH(c)                                \
     do {\
         if (copy_phase) \
             self->rec[rec_len] = c;\
-        rec_len++;\
+        INCLEN;\
     } while(0)
 
     rec_len = self->rec_len;
@@ -1072,11 +1080,18 @@ join_append_data(WriterObj *self, unsigned int field_kind, void *field_data,
     if (*quoted) {
         if (copy_phase)
             ADDCH(dialect->quotechar);
-        else
-            rec_len += 2;
+        else {
+            INCLEN; /* starting quote */
+            INCLEN; /* ending quote */
+        }
     }
     return rec_len;
+
+  overflow:
+    PyErr_NoMemory();
+    return -1;
 #undef ADDCH
+#undef INCLEN
 }
 
 static int
-- 
cgit v0.12