From 9aa040d4ab01f34ee1d1e1f95e5678fcb404e430 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@mad-scientist.com>
Date: Mon, 2 Jun 2008 00:07:25 +0000
Subject: [PATCH] - Issue #2588, #2589: Fix potential integer underflow and
 overflow   conditions in the PyOS_vsnprintf C API function.

This is a backport of r63728 and r63734 from trunk.
---
 Misc/NEWS           |  3 +++
 Python/mysnprintf.c | 22 +++++++++++++++++-----
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/Misc/NEWS b/Misc/NEWS
index 4eb8a807048..6363f80630d 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -41,6 +41,9 @@ Core and builtins
   less than zero will now raise a SystemError and return NULL to indicate a
   bug in the calling C code.
 
+- Issue #2588, #2589: Fix potential integer underflow and overflow
+  conditions in the PyOS_vsnprintf C API function.
+
 
 Library
 -------
diff --git a/Python/mysnprintf.c b/Python/mysnprintf.c
index 4d3770d8943..3173863c466 100644
--- a/Python/mysnprintf.c
+++ b/Python/mysnprintf.c
@@ -54,18 +54,28 @@ int
 PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
 {
 	int len;  /* # bytes written, excluding \0 */
-#ifndef HAVE_SNPRINTF
+#ifdef HAVE_SNPRINTF
+#define _PyOS_vsnprintf_EXTRA_SPACE 1
+#else
+#define _PyOS_vsnprintf_EXTRA_SPACE 512
 	char *buffer;
 #endif
 	assert(str != NULL);
 	assert(size > 0);
 	assert(format != NULL);
+	/* We take a size_t as input but return an int.  Sanity check
+	 * our input so that it won't cause an overflow in the
+         * vsnprintf return value or the buffer malloc size.  */
+	if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) {
+		len = -666;
+		goto Done;
+	}
 
 #ifdef HAVE_SNPRINTF
 	len = vsnprintf(str, size, format, va);
 #else
 	/* Emulate it. */
-	buffer = PyMem_MALLOC(size + 512);
+	buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE);
 	if (buffer == NULL) {
 		len = -666;
 		goto Done;
@@ -75,7 +85,7 @@ PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
 	if (len < 0)
 		/* ignore the error */;
 
-	else if ((size_t)len >= size + 512)
+	else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE)
 		Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf");
 
 	else {
@@ -86,8 +96,10 @@ PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
 		str[to_copy] = '\0';
 	}
 	PyMem_FREE(buffer);
-Done:
 #endif
-	str[size-1] = '\0';
+Done:
+	if (size > 0)
+		str[size-1] = '\0';
 	return len;
+#undef _PyOS_vsnprintf_EXTRA_SPACE
 }