Prevent expandtabs() on string and unicode objects from causing a segfault when
a large width is passed on 32-bit platforms. Found by Google.
It would be good for people to review this especially carefully and verify
I don't have an off by one error and there is no other way to cause overflow.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 00f2018..0640da8 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -5686,7 +5686,7 @@
Py_UNICODE *e;
Py_UNICODE *p;
Py_UNICODE *q;
- Py_ssize_t i, j;
+ Py_ssize_t i, j, old_j;
PyUnicodeObject *u;
int tabsize = 8;
@@ -5694,12 +5694,18 @@
return NULL;
/* First pass: determine size of output string */
- i = j = 0;
+ i = j = old_j = 0;
e = self->str + self->length;
for (p = self->str; p < e; p++)
if (*p == '\t') {
- if (tabsize > 0)
+ if (tabsize > 0) {
j += tabsize - (j % tabsize);
+ if (old_j > j) {
+ PyErr_SetString(PyExc_OverflowError, "new string is too long");
+ return NULL;
+ }
+ old_j = j;
+ }
}
else {
j++;
@@ -5709,6 +5715,11 @@
}
}
+ if ((i + j) < 0) {
+ PyErr_SetString(PyExc_OverflowError, "new string is too long");
+ return NULL;
+ }
+
/* Second pass: create output string and fill it */
u = _PyUnicode_New(i + j);
if (!u)