5f131aeb |
From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001
From: Jay Bosamiya <jaybosamiya@gmail.com>
Date: Sun, 18 Jun 2017 22:11:03 +0530
Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in
PyString_DecodeEscape (#2174)
---
Misc/ACKS | 1 +
Misc/NEWS | 3 +++
Objects/stringobject.c | 8 +++++++-
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/Misc/ACKS b/Misc/ACKS
index 95be42717a0..a411bc5ffc8 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -152,6 +152,7 @@ Gregory Bond
Matias Bordese
Jonas Borgström
Jurjen Bos
+Jay Bosamiya
Peter Bosch
Dan Boswell
Eric Bouck
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,
char *p, *buf;
const char *end;
PyObject *v;
- Py_ssize_t newlen = recode_encoding ? 4*len:len;
+ Py_ssize_t newlen;
+ /* Check for integer overflow */
+ if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+ PyErr_SetString(PyExc_OverflowError, "string is too large");
+ return NULL;
+ }
+ newlen = recode_encoding ? 4*len:len;
v = PyString_FromStringAndSize((char *)NULL, newlen);
if (v == NULL)
return NULL; |