fix possible overflow bugs in unicodedata (closes #23367)

diff --git a/Misc/NEWS b/Misc/NEWS
index 7d1dfb82fe16fcc34c0cf83469826503fb8f239e..ae04f59ac24b617ea2f0fd80e889cb4b2c4ec7e1 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #23367: Fix possible overflows in the unicodedata module.
+
 - Issue #23361: Fix possible overflow in Windows subprocess creation code.
 
 - Issue #23363: Fix possible overflow in itertools.permutations.

diff --git a/Modules/unicodedata.c b/Modules/unicodedata.c
index f4d3608750c5ffb9ca33cb5779fa72eeec97a72c..9fb1191fc593489e00df82488c2bdab2f833ab6a 100644 (file)
--- a/Modules/unicodedata.c
+++ b/Modules/unicodedata.c
@@ -507,10 +507,17 @@ nfd_nfkd(PyObject *self, PyObject *input, int k)
 
     stackptr = 0;
     isize = PyUnicode_GET_LENGTH(input);
+    space = isize;
     /* Overallocate at most 10 characters. */
-    space = (isize > 10 ? 10 : isize) + isize;
+    if (space > 10) {
+        if (space <= PY_SSIZE_T_MAX - 10)
+            space += 10;
+    }
+    else {
+        space *= 2;
+    }
     osize = space;
-    output = PyMem_Malloc(space * sizeof(Py_UCS4));
+    output = PyMem_NEW(Py_UCS4, space);
     if (!output) {
         PyErr_NoMemory();
         return NULL;
@@ -657,7 +664,7 @@ nfc_nfkc(PyObject *self, PyObject *input, int k)
     /* We allocate a buffer for the output.
        If we find that we made no changes, we still return
        the NFD result. */
-    output = PyMem_Malloc(len * sizeof(Py_UCS4));
+    output = PyMem_NEW(Py_UCS4, len);
     if (!output) {
         PyErr_NoMemory();
         Py_DECREF(result);