bpo-22207: Add checks for possible integer overflows in unicodeobject.c. (#2623)

Based on patch by Victor Stinner.
2017-07-11 06:55:25 +03:00 · 2017-07-11 06:55:25 +03:00 · 64e461be09
parent 1180e5a518
commit 64e461be09
1 changed files with 12 additions and 6 deletions
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@ -5478,13 +5478,12 @@ _PyUnicode_EncodeUTF32(PyObject *str,
        /* four bytes are reserved for each surrogate */
        if (moreunits > 1) {
            Py_ssize_t outpos = out - (uint32_t*) PyBytes_AS_STRING(v);
-            Py_ssize_t morebytes = 4 * (moreunits - 1);
-            if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) {
+            if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 4) {
                /* integer overflow */
                PyErr_NoMemory();
                goto error;
            }
-            if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0)
+            if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 4 * (moreunits - 1)) < 0)
                goto error;
            out = (uint32_t*) PyBytes_AS_STRING(v) + outpos;
        }
@ -5830,13 +5829,12 @@ _PyUnicode_EncodeUTF16(PyObject *str,
        /* two bytes are reserved for each surrogate */
        if (moreunits > 1) {
            Py_ssize_t outpos = out - (unsigned short*) PyBytes_AS_STRING(v);
-            Py_ssize_t morebytes = 2 * (moreunits - 1);
-            if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) {
+            if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 2) {
                /* integer overflow */
                PyErr_NoMemory();
                goto error;
            }
-            if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0)
+            if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 2 * (moreunits - 1)) < 0)
                goto error;
            out = (unsigned short*) PyBytes_AS_STRING(v) + outpos;
        }
@ -6516,6 +6514,10 @@ _PyUnicode_DecodeUnicodeInternal(const char *s,
                     1))
        return NULL;

+    if (size < 0) {
+        PyErr_BadInternalCall();
+        return NULL;
+    }
    if (size == 0)
        _Py_RETURN_UNICODE_EMPTY();

@ -7303,6 +7305,10 @@ decode_code_page_stateful(int code_page,
        PyErr_SetString(PyExc_ValueError, "invalid code page number");
        return NULL;
    }
+    if (size < 0) {
+        PyErr_BadInternalCall();
+        return NULL;
+    }

    if (consumed)
        *consumed = 0;