commit 8f422461b4c19b8a66beae218311917e688f03ce
author Tim Peters <tim.peters@gmail.com> Sat Sep 09 06:13:41 2000 +0000
committer Tim Peters <tim.peters@gmail.com> Sat Sep 09 06:13:41 2000 +0000
tree b6a577d50d437b8e2d388f5892fcd1f645d2c84c
parent 643d76d735726352dd40433b663d48617e27e200

Fix for bug 113934.  string*n and unicode*n did no overflow checking at
all, either to see whether the # of chars fit in an int, or that the
amount of memory needed fit in a size_t.  Checking these is expensive, but
the alternative is silently wrong answers (as in the bug report) or
core dumps (which were easy to provoke using Unicode strings).

Objects/stringobject.c

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index f7c3f4b..eee3551 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -393,16 +393,31 @@
 	register int i;
 	register int size;
 	register PyStringObject *op;
+	size_t nbytes;
 	if (n < 0)
 		n = 0;
+	/* watch out for overflows:  the size can overflow int,
+	 * and the # of bytes needed can overflow size_t
+	 */
 	size = a->ob_size * n;
+	if (n && size / n != a->ob_size) {
+		PyErr_SetString(PyExc_OverflowError,
+			"repeated string is too long");
+		return NULL;
+	}
 	if (size == a->ob_size) {
 		Py_INCREF(a);
 		return (PyObject *)a;
 	}
-	/* PyObject_NewVar is inlined */
+	nbytes = size * sizeof(char);
+	if (nbytes / sizeof(char) != (size_t)size ||
+	    nbytes + sizeof(PyStringObject) <= nbytes) {
+		PyErr_SetString(PyExc_OverflowError,
+			"repeated string is too long");
+		return NULL;
+	}
 	op = (PyStringObject *)
-		PyObject_MALLOC(sizeof(PyStringObject) + size * sizeof(char));
+		PyObject_MALLOC(sizeof(PyStringObject) + nbytes);
 	if (op == NULL)
 		return PyErr_NoMemory();
 	PyObject_INIT_VAR(op, &PyString_Type, size);