Fix a nasty endcase reported by Armin Rigo in SF bug 618623:

'%2147483647d' % -123 segfaults.  This was because an integer overflow
in a comparison caused the string resize to be skipped.  After fixing
the overflow, this could call _PyString_Resize() with a negative size,
so I (1) test for that and raise MemoryError instead; (2) also added a
test for negative newsize to _PyString_Resize(), raising SystemError
as for all bad arguments.

An identical bug existed in unicodeobject.c, of course.

Will backport to 2.2.2.

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index 6a9450a21d97cfbc905850de02a904eb98aeabbc..5c5b6aea9e37df35cba9d10fd8cf5ecd17c869af 100644 (file)
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -3319,7 +3319,7 @@ _PyString_Resize(PyObject **pv, int newsize)
        register PyObject *v;
        register PyStringObject *sv;
        v = *pv;
-       if (!PyString_Check(v) || v->ob_refcnt != 1) {
+       if (!PyString_Check(v) || v->ob_refcnt != 1 || newsize < 0) {
                *pv = 0;
                Py_DECREF(v);
                PyErr_BadInternalCall();
@@ -3959,10 +3959,14 @@ PyString_Format(PyObject *format, PyObject *args)
                        }
                        if (width < len)
                                width = len;
-                       if (rescnt < width + (sign != 0)) {
+                       if (rescnt - (sign != 0) < width) {
                                reslen -= rescnt;
                                rescnt = width + fmtcnt + 100;
                                reslen += rescnt;
+                               if (reslen < 0) {
+                                       Py_DECREF(result);
+                                       return PyErr_NoMemory();
+                               }
                                if (_PyString_Resize(&result, reslen) < 0)
                                        return NULL;
                                res = PyString_AS_STRING(result)

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index eb8ee61ba929939a75c98760f9784e4c275d7c6f..5f9f4a70d1443776dbba2fd8d2e821e3b2891501 100644 (file)
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -261,7 +261,7 @@ int PyUnicode_Resize(PyObject **unicode,
        return -1;
     }
     v = (PyUnicodeObject *)*unicode;
-    if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1) {
+    if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1 || length < 0) {
        PyErr_BadInternalCall();
        return -1;
     }
@@ -6483,10 +6483,14 @@ PyObject *PyUnicode_Format(PyObject *format,
            }
            if (width < len)
                width = len;
-           if (rescnt < width + (sign != 0)) {
+           if (rescnt - (sign != 0) < width) {
                reslen -= rescnt;
                rescnt = width + fmtcnt + 100;
                reslen += rescnt;
+               if (reslen < 0) {
+                   Py_DECREF(result);
+                   return PyErr_NoMemory();
+               }
                if (_PyUnicode_Resize(&result, reslen) < 0)
                    return NULL;
                res = PyUnicode_AS_UNICODE(result)