Backport r62261 from trunk:
Prevent PyString_FromStringAndSize() from passing negative sizes on to lower
level memory allocation functions. Raise a SystemError and return NULL
instead.
diff --git a/Misc/NEWS b/Misc/NEWS
index 357fa4f..aeee3f8 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -30,13 +30,15 @@
- Issue #2238: Some syntax errors in *args and **kwargs expressions could give
bogus error messages.
+- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
+ parameter but was not verifying that it was greater than zero. Values
+ less than zero will now raise a SystemError and return NULL to indicate a
+ bug in the calling C code.
+
Library
-------
-- zlib.decompressobj().flush(value) no longer crashes the interpreter when
- passed a value less than or equal to zero.
-
- Issue #2495: tokenize.untokenize now inserts a space between two consecutive
string literals; previously, ["" ""] was rendered as [""""], which is
incorrect python code.
@@ -72,6 +74,9 @@
Extension Modules
-----------------
+- zlib.decompressobj().flush(value) no longer crashes the interpreter when
+ passed a value less than or equal to zero.
+
Tests
-----
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index e1e287f..7cd613d 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -54,6 +54,11 @@
{
register PyStringObject *op;
assert(size >= 0);
+ if (size < 0) {
+ PyErr_SetString(PyExc_SystemError,
+ "Negative size passed to PyString_FromStringAndSize");
+ return NULL;
+ }
if (size == 0 && (op = nullstring) != NULL) {
#ifdef COUNT_ALLOCS
null_strings++;