[Python-checkins] cpython (merge 3.4 -> default): merge 3.4 (#23165)

benjamin.peterson python-checkins at python.org
Sun Jan 4 23:07:07 CET 2015 

https://hg.python.org/cpython/rev/8c4fb312e15d
changeset:   94021:8c4fb312e15d
parent:      94015:b96985753613
parent:      94020:d45e16b1ed86
user:        Benjamin Peterson <benjamin at python.org>
date:        Sun Jan 04 16:06:14 2015 -0600
summary:
  merge 3.4 (#23165)

files:
  Misc/NEWS          |   3 +++
  Python/fileutils.c |  16 +++++++++++++---
  2 files changed, 16 insertions(+), 3 deletions(-)


diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -193,6 +193,9 @@
   exception. In versions prior to 3.5, '#' with 'c' had no effect. Now
   specifying it is an error.  Patch by Torsten Landschoff.
 
+- Issue #23165: Perform overflow checks before allocating memory in the
+  _Py_char2wchar function.
+
 Library
 -------
 
diff --git a/Python/fileutils.c b/Python/fileutils.c
--- a/Python/fileutils.c
+++ b/Python/fileutils.c
@@ -220,8 +220,11 @@
     wchar_t *res;
     unsigned char *in;
     wchar_t *out;
+    size_t argsize = strlen(arg) + 1;
 
-    res = PyMem_RawMalloc((strlen(arg)+1)*sizeof(wchar_t));
+    if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t))
+        return NULL;
+    res = PyMem_RawMalloc(argsize*sizeof(wchar_t));
     if (!res)
         return NULL;
 
@@ -305,10 +308,15 @@
     argsize = mbstowcs(NULL, arg, 0);
 #endif
     if (argsize != (size_t)-1) {
-        res = (wchar_t *)PyMem_RawMalloc((argsize+1)*sizeof(wchar_t));
+        if (argsize == PY_SSIZE_T_MAX)
+            goto oom;
+        argsize += 1;
+        if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t))
+            goto oom;
+        res = (wchar_t *)PyMem_RawMalloc(argsize*sizeof(wchar_t));
         if (!res)
             goto oom;
-        count = mbstowcs(res, arg, argsize+1);
+        count = mbstowcs(res, arg, argsize);
         if (count != (size_t)-1) {
             wchar_t *tmp;
             /* Only use the result if it contains no
@@ -331,6 +339,8 @@
     /* Overallocate; as multi-byte characters are in the argument, the
        actual output could use less memory. */
     argsize = strlen(arg) + 1;
+    if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t))
+        goto oom;
     res = (wchar_t*)PyMem_RawMalloc(argsize*sizeof(wchar_t));
     if (!res)
         goto oom;

-- 
Repository URL: https://hg.python.org/cpython

More information about the Python-checkins mailing list