From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001 From: Jay Bosamiya Date: Sun, 18 Jun 2017 22:11:03 +0530 Subject: [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174) --- Misc/ACKS | 1 + Misc/NEWS | 3 +++ Objects/stringobject.c | 8 +++++++- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Misc/ACKS b/Misc/ACKS index 95be4271..a411bc5 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -152,6 +152,7 @@ Gregory Bond Matias Bordese Jonas Borgström Jurjen Bos +Jay Bosamiya Peter Bosch Dan Boswell Eric Bouck diff --git a/Misc/NEWS b/Misc/NEWS index b89f6ea..62559ed 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ What's New in Python 2.7.14? Core and Builtins ----------------- +- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape. + Patch by Jay Bosamiya. + - bpo-27945: Fixed various segfaults with dict when input collections are mutated during searching, inserting or comparing. Based on patches by Duane Griffin and Tim Mitchell. diff --git a/Objects/stringobject.c b/Objects/stringobject.c index c78e193..59d22e7 100644 --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s, char *p, *buf; const char *end; PyObject *v; - Py_ssize_t newlen = recode_encoding ? 4*len:len; + Py_ssize_t newlen; + /* Check for integer overflow */ + if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { + PyErr_SetString(PyExc_OverflowError, "string is too large"); + return NULL; + } + newlen = recode_encoding ? 4*len:len; v = PyString_FromStringAndSize((char *)NULL, newlen); if (v == NULL) return NULL; -- cgit v0.12