add overflow checking (closes #23361)

2015-02-09 20:58:12 -05:00 · 2015-02-09 20:58:12 -05:00 · 8ce6806498
parent dee948b359
commit 8ce6806498
2 changed files with 14 additions and 2 deletions
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -16,6 +16,8 @@ Core and Builtins
 Library
 -------

+- Issue #23361: Fix possible overflow in Windows subprocess creation code.
+
 - Issue #23363: Fix possible overflow in itertools.permutations.

 - Issue #23364: Fix possible overflow in itertools.product.
--- a/Modules/_winapi.c
+++ b/Modules/_winapi.c
@ -513,13 +513,23 @@ getenvironment(PyObject* environment)
                "environment can only contain strings");
            goto error;
        }
+        if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(key) - 1) {
+            PyErr_SetString(PyExc_OverflowError, "environment too long");
+            goto error;
+        }
        totalsize += PyUnicode_GET_LENGTH(key) + 1;    /* +1 for '=' */
+        if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(value) - 1) {
+            PyErr_SetString(PyExc_OverflowError, "environment too long");
+            goto error;
+        }
        totalsize += PyUnicode_GET_LENGTH(value) + 1;  /* +1 for '\0' */
    }

-    buffer = PyMem_Malloc(totalsize * sizeof(Py_UCS4));
-    if (! buffer)
+    buffer = PyMem_NEW(Py_UCS4, totalsize);
+    if (! buffer) {
+        PyErr_NoMemory();
        goto error;
+    }
    p = buffer;
    end = buffer + totalsize;