[2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174)

diff --git a/Misc/ACKS b/Misc/ACKS
index 95be42717a0c09cbcc7264326dff2a42a8e2e6b4..a411bc5ffc8f728d50d64df1dcd41f74473f6735 100644 (file)
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -152,6 +152,7 @@ Gregory Bond
 Matias Bordese
 Jonas Borgström
 Jurjen Bos
+Jay Bosamiya
 Peter Bosch
 Dan Boswell
 Eric Bouck

diff --git a/Misc/NEWS b/Misc/NEWS
index b89f6ea62d851c699fc0601d5eac07da29b3ebb1..62559edf837433cf3f523593ca70e478a51aa047 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 2.7.14?
 Core and Builtins
 -----------------
 
+- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape.
+  Patch by Jay Bosamiya.
+
 - bpo-27945: Fixed various segfaults with dict when input collections are
   mutated during searching, inserting or comparing.  Based on patches by
   Duane Griffin and Tim Mitchell.

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index c78e19316a06ac507005e0a8a0af64a58666bcc2..59d22e76946bb22f8dcc088f5fbb891899ece88c 100644 (file)
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,
     char *p, *buf;
     const char *end;
     PyObject *v;
-    Py_ssize_t newlen = recode_encoding ? 4*len:len;
+    Py_ssize_t newlen;
+    /* Check for integer overflow */
+    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+        PyErr_SetString(PyExc_OverflowError, "string is too large");
+        return NULL;
+    }
+    newlen = recode_encoding ? 4*len:len;
     v = PyString_FromStringAndSize((char *)NULL, newlen);
     if (v == NULL)
         return NULL;