From b027c6cae0bf591d62348f555116f28e0c081880 Mon Sep 17 00:00:00 2001
From: Benjamin Peterson <benjamin@python.org>
Date: Mon, 2 Mar 2015 11:17:05 -0500
Subject: fix possible overflow bugs in unicodedata (closes #23367)

---
 Misc/NEWS             | 2 ++
 Modules/unicodedata.c | 9 ++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/Misc/NEWS b/Misc/NEWS
index be68961..288a484 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -50,6 +50,8 @@ Library
   posixpath.expandvars().  Fixed all os.path implementations on
   unicode-disabled builds.
 
+- Issue #23367: Fix possible overflows in the unicodedata module.
+
 - Issue #23363: Fix possible overflow in itertools.permutations.
 
 - Issue #23364: Fix possible overflow in itertools.product.
diff --git a/Modules/unicodedata.c b/Modules/unicodedata.c
index 6f9c7e8..6b01fc76 100644
--- a/Modules/unicodedata.c
+++ b/Modules/unicodedata.c
@@ -506,8 +506,15 @@ nfd_nfkd(PyObject *self, PyObject *input, int k)
 
     stackptr = 0;
     isize = PyUnicode_GET_SIZE(input);
+    space = isize;
     /* Overallocate at most 10 characters. */
-    space = (isize > 10 ? 10 : isize) + isize;
+    if (space > 10) {
+        if (space <= PY_SSIZE_T_MAX - 10)
+            space += 10;
+    }
+    else {
+        space *= 2;
+    }
     result = PyUnicode_FromUnicode(NULL, space);
     if (!result)
         return NULL;
-- 
cgit v0.12