Fixes possible integer overflow in PyBytes_DecodeEscape.
Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>
Matias Bordese
Jonas Borgström
Jurjen Bos
+Jay Bosamiya
Peter Bosch
Dan Boswell
Eric Bouck
Brad Howes
Mike Hoy
Ben Hoyt
+Miro Hrončok
Chiu-Hsiang Hsu
Chih-Hao Huang
Christian Hudon
--- /dev/null
+Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158.
+Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok.
char *p, *buf;
const char *end;
PyObject *v;
- Py_ssize_t newlen = recode_encoding ? 4*len:len;
+ Py_ssize_t newlen;
+ /* Check for integer overflow */
+ if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+ PyErr_SetString(PyExc_OverflowError, "string is too large");
+ return NULL;
+ }
+ newlen = recode_encoding ? 4*len:len;
v = PyBytes_FromStringAndSize((char *)NULL, newlen);
if (v == NULL)
return NULL;