[3.6] bpo-22207: Add checks for possible integer overflows in unicodeobject.c. (GH-2623) (#2658)
Based on patch by Victor Stinner.
(cherry picked from commit 64e461b
)
This commit is contained in:
parent
ecfe4f678b
commit
82a9075600
|
@ -5513,13 +5513,12 @@ _PyUnicode_EncodeUTF32(PyObject *str,
|
||||||
/* four bytes are reserved for each surrogate */
|
/* four bytes are reserved for each surrogate */
|
||||||
if (moreunits > 1) {
|
if (moreunits > 1) {
|
||||||
Py_ssize_t outpos = out - (uint32_t*) PyBytes_AS_STRING(v);
|
Py_ssize_t outpos = out - (uint32_t*) PyBytes_AS_STRING(v);
|
||||||
Py_ssize_t morebytes = 4 * (moreunits - 1);
|
if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 4) {
|
||||||
if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) {
|
|
||||||
/* integer overflow */
|
/* integer overflow */
|
||||||
PyErr_NoMemory();
|
PyErr_NoMemory();
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0)
|
if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 4 * (moreunits - 1)) < 0)
|
||||||
goto error;
|
goto error;
|
||||||
out = (uint32_t*) PyBytes_AS_STRING(v) + outpos;
|
out = (uint32_t*) PyBytes_AS_STRING(v) + outpos;
|
||||||
}
|
}
|
||||||
|
@ -5865,13 +5864,12 @@ _PyUnicode_EncodeUTF16(PyObject *str,
|
||||||
/* two bytes are reserved for each surrogate */
|
/* two bytes are reserved for each surrogate */
|
||||||
if (moreunits > 1) {
|
if (moreunits > 1) {
|
||||||
Py_ssize_t outpos = out - (unsigned short*) PyBytes_AS_STRING(v);
|
Py_ssize_t outpos = out - (unsigned short*) PyBytes_AS_STRING(v);
|
||||||
Py_ssize_t morebytes = 2 * (moreunits - 1);
|
if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 2) {
|
||||||
if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) {
|
|
||||||
/* integer overflow */
|
/* integer overflow */
|
||||||
PyErr_NoMemory();
|
PyErr_NoMemory();
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0)
|
if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 2 * (moreunits - 1)) < 0)
|
||||||
goto error;
|
goto error;
|
||||||
out = (unsigned short*) PyBytes_AS_STRING(v) + outpos;
|
out = (unsigned short*) PyBytes_AS_STRING(v) + outpos;
|
||||||
}
|
}
|
||||||
|
@ -6551,6 +6549,10 @@ _PyUnicode_DecodeUnicodeInternal(const char *s,
|
||||||
1))
|
1))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
|
if (size < 0) {
|
||||||
|
PyErr_BadInternalCall();
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
if (size == 0)
|
if (size == 0)
|
||||||
_Py_RETURN_UNICODE_EMPTY();
|
_Py_RETURN_UNICODE_EMPTY();
|
||||||
|
|
||||||
|
@ -7352,6 +7354,10 @@ decode_code_page_stateful(int code_page,
|
||||||
PyErr_SetString(PyExc_ValueError, "invalid code page number");
|
PyErr_SetString(PyExc_ValueError, "invalid code page number");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
if (size < 0) {
|
||||||
|
PyErr_BadInternalCall();
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
if (consumed)
|
if (consumed)
|
||||||
*consumed = 0;
|
*consumed = 0;
|
||||||
|
|
Loading…
Reference in New Issue