From e55181f517bbfc875065ce86ed3e05cf0e0246fa Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Fri, 20 Feb 2015 21:34:06 +0200
Subject: Issue #23490: Fixed possible crashes related to interoperability
 between old-style and new API for string with 2**30-1 characters.

---
 Objects/unicodeobject.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 2ffa55b..d8f1ce1 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -1535,6 +1535,10 @@ _PyUnicode_Ready(PyObject *unicode)
         /* in case the native representation is 2-bytes, we need to allocate a
            new normalized 4-byte version. */
         length_wo_surrogates = _PyUnicode_WSTR_LENGTH(unicode) - num_surrogates;
+        if (length_wo_surrogates > PY_SSIZE_T_MAX / 4 - 1) {
+            PyErr_NoMemory();
+            return -1;
+        }
         _PyUnicode_DATA_ANY(unicode) = PyObject_MALLOC(4 * (length_wo_surrogates + 1));
         if (!_PyUnicode_DATA_ANY(unicode)) {
             PyErr_NoMemory();
@@ -3846,6 +3850,11 @@ PyUnicode_AsUnicodeAndSize(PyObject *unicode, Py_ssize_t *size)
 #endif
         }
         else {
+            if ((size_t)_PyUnicode_LENGTH(unicode) >
+                    PY_SSIZE_T_MAX / sizeof(wchar_t) - 1) {
+                PyErr_NoMemory();
+                return NULL;
+            }
             _PyUnicode_WSTR(unicode) = (wchar_t *) PyObject_MALLOC(sizeof(wchar_t) *
                                                   (_PyUnicode_LENGTH(unicode) + 1));
             if (!_PyUnicode_WSTR(unicode)) {
-- 
cgit v0.12