From 99e2e5552ab6a105b188273658784963bb9a915c Mon Sep 17 00:00:00 2001
From: Mark Dickinson <mdickinson@enthought.com>
Date: Mon, 7 May 2012 11:20:50 +0100
Subject: Issue #14700: Fix two broken and undefined-behaviour-inducing
 overflow checks in old-style string formatting.  Thanks Serhiy Storchaka for
 report and original patch.

---
 Lib/test/string_tests.py | 4 ++++
 Misc/NEWS                | 3 +++
 Objects/unicodeobject.c  | 4 ++--
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Lib/test/string_tests.py b/Lib/test/string_tests.py
index b7246eb..eeeb457 100644
--- a/Lib/test/string_tests.py
+++ b/Lib/test/string_tests.py
@@ -1197,6 +1197,10 @@ class MixinStrUnicodeUserStringTest:
         self.checkraises(TypeError, '%10.*f', '__mod__', ('foo', 42.))
         self.checkraises(ValueError, '%10', '__mod__', (42,))
 
+        # Outrageously large width or precision should raise ValueError.
+        self.checkraises(ValueError, '%%%df' % (2**64), '__mod__', (3.2))
+        self.checkraises(ValueError, '%%.%df' % (2**64), '__mod__', (3.2))
+
     def test_floatformatting(self):
         # float formatting
         for prec in range(100):
diff --git a/Misc/NEWS b/Misc/NEWS
index 6047785..809114c 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.3.0 Alpha 4?
 Core and Builtins
 -----------------
 
+- Issue #14700: Fix two broken and undefined-behaviour-inducing overflow checks
+  in old-style string formatting.
+
 - Issue #14705: The PyArg_Parse() family of functions now support the 'p' format
   unit, which accepts a "boolean predicate" argument.  It converts any Python
   value into an integer--0 if it is "false", and 1 otherwise.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index bb0d786..129a5fc 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -13933,7 +13933,7 @@ PyUnicode_Format(PyObject *format, PyObject *args)
                     c = PyUnicode_READ(fmtkind, fmt, fmtpos++);
                     if (c < '0' || c > '9')
                         break;
-                    if ((width*10) / 10 != width) {
+                    if (width > (PY_SSIZE_T_MAX - (c - '0')) / 10) {
                         PyErr_SetString(PyExc_ValueError,
                                         "width too big");
                         goto onError;
@@ -13968,7 +13968,7 @@ PyUnicode_Format(PyObject *format, PyObject *args)
                         c = PyUnicode_READ(fmtkind, fmt, fmtpos++);
                         if (c < '0' || c > '9')
                             break;
-                        if ((prec*10) / 10 != prec) {
+                        if (prec > (INT_MAX - (c - '0')) / 10) {
                             PyErr_SetString(PyExc_ValueError,
                                             "prec too big");
                             goto onError;
-- 
cgit v0.12