]> granicus.if.org Git - python/commitdiff
[2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174)
authorJay Bosamiya <jaybosamiya@gmail.com>
Sun, 18 Jun 2017 16:41:03 +0000 (22:11 +0530)
committerSerhiy Storchaka <storchaka@gmail.com>
Sun, 18 Jun 2017 16:41:03 +0000 (19:41 +0300)
Misc/ACKS
Misc/NEWS
Objects/stringobject.c

index 95be42717a0c09cbcc7264326dff2a42a8e2e6b4..a411bc5ffc8f728d50d64df1dcd41f74473f6735 100644 (file)
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -152,6 +152,7 @@ Gregory Bond
 Matias Bordese
 Jonas Borgström
 Jurjen Bos
+Jay Bosamiya
 Peter Bosch
 Dan Boswell
 Eric Bouck
index b89f6ea62d851c699fc0601d5eac07da29b3ebb1..62559edf837433cf3f523593ca70e478a51aa047 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 2.7.14?
 Core and Builtins
 -----------------
 
+- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape.
+  Patch by Jay Bosamiya.
+
 - bpo-27945: Fixed various segfaults with dict when input collections are
   mutated during searching, inserting or comparing.  Based on patches by
   Duane Griffin and Tim Mitchell.
index c78e19316a06ac507005e0a8a0af64a58666bcc2..59d22e76946bb22f8dcc088f5fbb891899ece88c 100644 (file)
@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,
     char *p, *buf;
     const char *end;
     PyObject *v;
-    Py_ssize_t newlen = recode_encoding ? 4*len:len;
+    Py_ssize_t newlen;
+    /* Check for integer overflow */
+    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+        PyErr_SetString(PyExc_OverflowError, "string is too large");
+        return NULL;
+    }
+    newlen = recode_encoding ? 4*len:len;
     v = PyString_FromStringAndSize((char *)NULL, newlen);
     if (v == NULL)
         return NULL;