From: Benjamin Peterson Date: Wed, 15 Oct 2014 15:47:36 +0000 (-0400) Subject: fix integer overflow in unicode case operations (closes #22643) X-Git-Tag: v3.4.3rc1~362^2~6 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e1bd38c03c16cd27227b3148d2be0ef1ab678448;p=python fix integer overflow in unicode case operations (closes #22643) --- diff --git a/Lib/test/test_unicode.py b/Lib/test/test_unicode.py index c2ede07a83..e1ccd5c1da 100644 --- a/Lib/test/test_unicode.py +++ b/Lib/test/test_unicode.py @@ -661,6 +661,11 @@ class UnicodeTest(string_tests.CommonTest, self.assertEqual('x'.center(4, '\U0010FFFF'), '\U0010FFFFx\U0010FFFF\U0010FFFF') + @unittest.skipUnless(sys.maxsize == 2**31 - 1, "requires 32-bit system") + def test_case_operation_overflow(self): + # Issue #22643 + self.assertRaises(OverflowError, ("ü"*(2**32//12 + 1)).upper) + def test_contains(self): # Testing Unicode contains method self.assertIn('a', 'abdb') diff --git a/Misc/NEWS b/Misc/NEWS index 8fbf58bd66..7676c9051d 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ What's New in Python 3.3.6? Core and Builtins ----------------- +- Issue #22643: Fix integer overflow in Unicode case operations (upper, lower, + title, swapcase, casefold). + - Issue #22518: Fixed integer overflow issues in "backslashreplace", "xmlcharrefreplace", and "surrogatepass" error handlers. diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 1ce5caafdc..35da457530 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -9484,6 +9484,11 @@ case_operation(PyObject *self, kind = PyUnicode_KIND(self); data = PyUnicode_DATA(self); length = PyUnicode_GET_LENGTH(self); + if (length > PY_SSIZE_T_MAX / 3 || + length > PY_SIZE_MAX / (3 * sizeof(Py_UCS4))) { + PyErr_SetString(PyExc_OverflowError, "string is too long"); + return NULL; + } tmp = PyMem_MALLOC(sizeof(Py_UCS4) * 3 * length); if (tmp == NULL) return PyErr_NoMemory();