Backport r62261 from trunk:

Prevent PyString_FromStringAndSize() from passing negative sizes on to lower level memory allocation functions. Raise a SystemError and return NULL instead.
2008-04-09 23:41:13 +00:00 · 2008-04-09 23:41:13 +00:00 · 14acde30f6
parent 3782da4e0a
commit 14acde30f6
2 changed files with 13 additions and 3 deletions
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -30,13 +30,15 @@ Core and builtins
 - Issue #2238: Some syntax errors in *args and **kwargs expressions could give
  bogus error messages.

+- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
+  parameter but was not verifying that it was greater than zero.  Values
+  less than zero will now raise a SystemError and return NULL to indicate a
+  bug in the calling C code.
+

 Library
 -------

- zlib.decompressobj().flush(value) no longer crashes the interpreter when
-  passed a value less than or equal to zero.
-
 - Issue #2495: tokenize.untokenize now inserts a space between two consecutive
  string literals; previously, ["" ""] was rendered as [""""], which is
  incorrect python code.
@ -72,6 +74,9 @@ Library
 Extension Modules
 -----------------

+- zlib.decompressobj().flush(value) no longer crashes the interpreter when
+  passed a value less than or equal to zero.
+
 Tests
 -----

--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@ -54,6 +54,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t size)
 {
 	register PyStringObject *op;
 	assert(size >= 0);
+	if (size < 0) {
+		PyErr_SetString(PyExc_SystemError,
+		    "Negative size passed to PyString_FromStringAndSize");
+		return NULL;
+	}
 	if (size == 0 && (op = nullstring) != NULL) {
 #ifdef COUNT_ALLOCS
 		null_strings++;