From: Benjamin Peterson Date: Sun, 4 Jan 2015 22:05:39 +0000 (-0600) Subject: merge 3.3 (closes #23165) X-Git-Tag: v3.4.3rc1~179 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=10ecaa24162382bdf5e21170b27206188ec9b25f;p=python merge 3.3 (closes #23165) --- 10ecaa24162382bdf5e21170b27206188ec9b25f diff --cc Python/fileutils.c index f5000e533c,5c66ecf0b5..901a746efe --- a/Python/fileutils.c +++ b/Python/fileutils.c @@@ -220,8 -201,11 +220,11 @@@ decode_ascii_surrogateescape(const cha wchar_t *res; unsigned char *in; wchar_t *out; + size_t argsize = strlen(arg) + 1; - res = PyMem_RawMalloc((strlen(arg)+1)*sizeof(wchar_t)); + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + return NULL; - res = PyMem_Malloc(argsize*sizeof(wchar_t)); ++ res = PyMem_RawMalloc(argsize*sizeof(wchar_t)); if (!res) return NULL; @@@ -303,10 -287,15 +306,15 @@@ _Py_char2wchar(const char* arg, size_t argsize = mbstowcs(NULL, arg, 0); #endif if (argsize != (size_t)-1) { - res = (wchar_t *)PyMem_RawMalloc((argsize+1)*sizeof(wchar_t)); + if (argsize == PY_SSIZE_T_MAX) + goto oom; + argsize += 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; - res = (wchar_t *)PyMem_Malloc(argsize*sizeof(wchar_t)); ++ res = (wchar_t *)PyMem_RawMalloc(argsize*sizeof(wchar_t)); if (!res) goto oom; - count = mbstowcs(res, arg, argsize+1); + count = mbstowcs(res, arg, argsize); if (count != (size_t)-1) { wchar_t *tmp; /* Only use the result if it contains no @@@ -329,7 -318,9 +337,9 @@@ /* Overallocate; as multi-byte characters are in the argument, the actual output could use less memory. */ argsize = strlen(arg) + 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; - res = (wchar_t*)PyMem_Malloc(argsize*sizeof(wchar_t)); + res = (wchar_t*)PyMem_RawMalloc(argsize*sizeof(wchar_t)); if (!res) goto oom; in = (unsigned char*)arg;