From 0576f9b4cf7e4b373eff1e610d6c63682a0ce089 Mon Sep 17 00:00:00 2001
From: Victor Stinner <victor.stinner@gmail.com>
Date: Mon, 7 May 2012 13:02:44 +0200
Subject: Issue #14716: Change integer overflow check in
 unicode_writer_prepare() to compute the limit at compile time instead of
 runtime. Patch writen by Serhiy Storchaka.

---
 Objects/unicodeobject.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 0722312..4bbaa35 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -13242,8 +13242,10 @@ unicode_writer_prepare(unicode_writer_t *writer,
     newlen = writer->pos + length;
 
     if (newlen > PyUnicode_GET_LENGTH(writer->buffer)) {
-        /* overallocate 25% to limit the number of resize */
-        if (newlen <= (PY_SSIZE_T_MAX - newlen / 4))
+        /* Overallocate 25% to limit the number of resize.
+           Check for integer overflow:
+           (newlen + newlen / 4) <= PY_SSIZE_T_MAX */
+        if (newlen <= (PY_SSIZE_T_MAX - PY_SSIZE_T_MAX / 5))
             newlen += newlen / 4;
 
         if (maxchar > writer->maxchar) {
-- 
cgit v0.12