[Python-checkins] cpython (merge 3.4 -> default): merge 3.4 (#23361)

Tue Feb 10 03:00:17 CET 2015

https://hg.python.org/cpython/rev/76170e33f251
changeset: 94576:76170e33f251
parent: 94573:e548ab4ce71d
parent: 94575:b82cc9180a78
user: Benjamin Peterson <benjamin at python.org>
date: Mon Feb 09 21:00:00 2015 -0500
summary:
 merge 3.4 (#23361)
files:
 Misc/NEWS | 2 ++
 Modules/_winapi.c | 14 ++++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,8 @@
 Library
 -------
 
+- Issue #23361: Fix possible overflow in Windows subprocess creation code.
+
 - logging.handlers.QueueListener now takes a respect_handler_level keyword
 argument which, if set to True, will pass messages to handlers taking handler
 levels into account.
diff --git a/Modules/_winapi.c b/Modules/_winapi.c
--- a/Modules/_winapi.c
+++ b/Modules/_winapi.c
@@ -670,13 +670,23 @@
 "environment can only contain strings");
 goto error;
 }
+ if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(key) - 1) {
+ PyErr_SetString(PyExc_OverflowError, "environment too long");
+ goto error;
+ }
 totalsize += PyUnicode_GET_LENGTH(key) + 1; /* +1 for '=' */
+ if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(value) - 1) {
+ PyErr_SetString(PyExc_OverflowError, "environment too long");
+ goto error;
+ }
 totalsize += PyUnicode_GET_LENGTH(value) + 1; /* +1 for '0円' */
 }
 
- buffer = PyMem_Malloc(totalsize * sizeof(Py_UCS4));
- if (! buffer)
+ buffer = PyMem_NEW(Py_UCS4, totalsize);
+ if (! buffer) {
+ PyErr_NoMemory();
 goto error;
+ }
 p = buffer;
 end = buffer + totalsize;
 
-- 
Repository URL: https://hg.python.org/cpython
