Fix a nasty endcase reported by Armin Rigo in SF bug 618623:
'%2147483647d' % -123 segfaults. This was because an integer overflow
in a comparison caused the string resize to be skipped. After fixing
the overflow, this could call _PyString_Resize() with a negative size,
so I (1) test for that and raise MemoryError instead; (2) also added a
test for negative newsize to _PyString_Resize(), raising SystemError
as for all bad arguments.
An identical bug existed in unicodeobject.c, of course.
Will backport to 2.2.2.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index eb8ee61..5f9f4a7 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -261,7 +261,7 @@
return -1;
}
v = (PyUnicodeObject *)*unicode;
- if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1) {
+ if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1 || length < 0) {
PyErr_BadInternalCall();
return -1;
}
@@ -6483,10 +6483,14 @@
}
if (width < len)
width = len;
- if (rescnt < width + (sign != 0)) {
+ if (rescnt - (sign != 0) < width) {
reslen -= rescnt;
rescnt = width + fmtcnt + 100;
reslen += rescnt;
+ if (reslen < 0) {
+ Py_DECREF(result);
+ return PyErr_NoMemory();
+ }
if (_PyUnicode_Resize(&result, reslen) < 0)
return NULL;
res = PyUnicode_AS_UNICODE(result)