Backport r62261 from trunk:

Prevent PyString_FromStringAndSize() from passing negative sizes on to lower
level memory allocation functions.  Raise a SystemError and return NULL
instead.

diff --git a/Misc/NEWS b/Misc/NEWS
index 357fa4f0cb00b7153cc6610b4579792a51377439..aeee3f8f5558b186fbb98a41ade71018fd68f884 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -30,13 +30,15 @@ Core and builtins
 - Issue #2238: Some syntax errors in *args and **kwargs expressions could give
   bogus error messages.
 
+- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
+  parameter but was not verifying that it was greater than zero.  Values
+  less than zero will now raise a SystemError and return NULL to indicate a
+  bug in the calling C code.
+
 
 Library
 -------
 
-- zlib.decompressobj().flush(value) no longer crashes the interpreter when
-  passed a value less than or equal to zero.
-
 - Issue #2495: tokenize.untokenize now inserts a space between two consecutive
   string literals; previously, ["" ""] was rendered as [""""], which is
   incorrect python code.
@@ -72,6 +74,9 @@ Library
 Extension Modules
 -----------------
 
+- zlib.decompressobj().flush(value) no longer crashes the interpreter when
+  passed a value less than or equal to zero.
+
 Tests
 -----
 

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index e1e287fba11a4e185ca62b71d7c292a83d77a8ce..7cd613dd87292e05c319c0346a547f0260d078b3 100644 (file)
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -54,6 +54,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t size)
 {
        register PyStringObject *op;
        assert(size >= 0);
+       if (size < 0) {
+               PyErr_SetString(PyExc_SystemError,
+                   "Negative size passed to PyString_FromStringAndSize");
+               return NULL;
+       }
        if (size == 0 && (op = nullstring) != NULL) {
 #ifdef COUNT_ALLOCS
                null_strings++;