[Python-checkins] cpython (merge 3.2 -> 3.3): merge 3.2 (closes #23165)

Sun Jan 4 23:07:07 CET 2015

https://hg.python.org/cpython/rev/d1af6f3a8ce3
changeset: 94019:d1af6f3a8ce3
branch: 3.3
parent: 93996:3b202cc79a38
parent: 94018:1ce98e85929d
user: Benjamin Peterson <benjamin at python.org>
date: Sun Jan 04 16:03:59 2015 -0600
summary:
 merge 3.2 (closes #23165)
files:
 Misc/NEWS | 3 +++
 Python/fileutils.c | 16 +++++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -23,6 +23,9 @@
 
 - Issue #22518: Fix integer overflow issues in latin-1 encoding.
 
+- Issue #23165: Perform overflow checks before allocating memory in the
+ _Py_char2wchar function.
+
 Library
 -------
 
diff --git a/Python/fileutils.c b/Python/fileutils.c
--- a/Python/fileutils.c
+++ b/Python/fileutils.c
@@ -201,8 +201,11 @@
 wchar_t *res;
 unsigned char *in;
 wchar_t *out;
+ size_t argsize = strlen(arg) + 1;
 
- res = PyMem_Malloc((strlen(arg)+1)*sizeof(wchar_t));
+ if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t))
+ return NULL;
+ res = PyMem_Malloc(argsize*sizeof(wchar_t));
 if (!res)
 return NULL;
 
@@ -284,10 +287,15 @@
 argsize = mbstowcs(NULL, arg, 0);
 #endif
 if (argsize != (size_t)-1) {
- res = (wchar_t *)PyMem_Malloc((argsize+1)*sizeof(wchar_t));
+ if (argsize == PY_SSIZE_T_MAX)
+ goto oom;
+ argsize += 1;
+ if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t))
+ goto oom;
+ res = (wchar_t *)PyMem_Malloc(argsize*sizeof(wchar_t));
 if (!res)
 goto oom;
- count = mbstowcs(res, arg, argsize+1);
+ count = mbstowcs(res, arg, argsize);
 if (count != (size_t)-1) {
 wchar_t *tmp;
 /* Only use the result if it contains no
@@ -310,6 +318,8 @@
 /* Overallocate; as multi-byte characters are in the argument, the
 actual output could use less memory. */
 argsize = strlen(arg) + 1;
+ if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t))
+ goto oom;
 res = (wchar_t*)PyMem_Malloc(argsize*sizeof(wchar_t));
 if (!res)
 goto oom;
-- 
Repository URL: https://hg.python.org/cpython
