From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001 From: Jay Bosamiya <jaybosamiya@gmail.com> Date: Sun, 18 Jun 2017 22:11:03 +0530 Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174) --- Misc/ACKS | 1 + Misc/NEWS | 3 +++ Objects/stringobject.c | 8 +++++++- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Misc/ACKS b/Misc/ACKS index 95be42717a0..a411bc5ffc8 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -152,6 +152,7 @@ Gregory Bond Matias Bordese Jonas Borgström Jurjen Bos +Jay Bosamiya Peter Bosch Dan Boswell Eric Bouck --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s, char *p, *buf; const char *end; PyObject *v; - Py_ssize_t newlen = recode_encoding ? 4*len:len; + Py_ssize_t newlen; + /* Check for integer overflow */ + if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { + PyErr_SetString(PyExc_OverflowError, "string is too large"); + return NULL; + } + newlen = recode_encoding ? 4*len:len; v = PyString_FromStringAndSize((char *)NULL, newlen); if (v == NULL) return NULL;