[3.6] bpo-22207: Add checks for possible integer overflows in unicodeobject.c. (GH-2623) (#2658)
Based on patch by Victor Stinner.
(cherry picked from commit 64e461b)
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 494cdbd..1650370 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -5513,13 +5513,12 @@
/* four bytes are reserved for each surrogate */
if (moreunits > 1) {
Py_ssize_t outpos = out - (uint32_t*) PyBytes_AS_STRING(v);
- Py_ssize_t morebytes = 4 * (moreunits - 1);
- if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) {
+ if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 4) {
/* integer overflow */
PyErr_NoMemory();
goto error;
}
- if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0)
+ if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 4 * (moreunits - 1)) < 0)
goto error;
out = (uint32_t*) PyBytes_AS_STRING(v) + outpos;
}
@@ -5865,13 +5864,12 @@
/* two bytes are reserved for each surrogate */
if (moreunits > 1) {
Py_ssize_t outpos = out - (unsigned short*) PyBytes_AS_STRING(v);
- Py_ssize_t morebytes = 2 * (moreunits - 1);
- if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) {
+ if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 2) {
/* integer overflow */
PyErr_NoMemory();
goto error;
}
- if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0)
+ if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 2 * (moreunits - 1)) < 0)
goto error;
out = (unsigned short*) PyBytes_AS_STRING(v) + outpos;
}
@@ -6551,6 +6549,10 @@
1))
return NULL;
+ if (size < 0) {
+ PyErr_BadInternalCall();
+ return NULL;
+ }
if (size == 0)
_Py_RETURN_UNICODE_EMPTY();
@@ -7352,6 +7354,10 @@
PyErr_SetString(PyExc_ValueError, "invalid code page number");
return NULL;
}
+ if (size < 0) {
+ PyErr_BadInternalCall();
+ return NULL;
+ }
if (consumed)
*consumed = 0;