From: Benjamin Peterson <benjamin@python.org>
Date: Mon, 29 Sep 2014 23:01:18 +0000 (-0400)
Subject: fix overflow checking in PyString_Repr (closes #22519)
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f8c4b3a730461c10766f66784c268ce0d923ad39;p=python

fix overflow checking in PyString_Repr (closes #22519)
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 686db0fee0..47de844425 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@ What's New in Python 2.7.9?
 Core and Builtins
 -----------------
 
+- Issue #22519: Fix overflow checking in PyString_Repr.
+
 - Issue #22518: Fix integer overflow issues in latin-1 encoding.
 
 - Issue #22379: Fix empty exception message in a TypeError raised in
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index f95857ab83..46f46db0e0 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -926,13 +926,14 @@ PyObject *
 PyString_Repr(PyObject *obj, int smartquotes)
 {
     register PyStringObject* op = (PyStringObject*) obj;
-    size_t newsize = 2 + 4 * Py_SIZE(op);
+    size_t newsize;
     PyObject *v;
-    if (newsize > PY_SSIZE_T_MAX || newsize / 4 != Py_SIZE(op)) {
+    if (Py_SIZE(op) > (PY_SSIZE_T_MAX - 2)/4) {
         PyErr_SetString(PyExc_OverflowError,
             "string is too large to make repr");
         return NULL;
     }
+    newsize = 2 + 4*Py_SIZE(op);
     v = PyString_FromStringAndSize((char *)NULL, newsize);
     if (v == NULL) {
         return NULL;