Issue #14700: Fix two broken and undefined-behaviour-inducing overflow checks in old-style string formatting. Thanks Serhiy Storchaka for report and original patch.

commit: 99e2e5552ab6a105b188273658784963bb9a915c [log] [tgz]
author: Mark Dickinson <mdickinson@enthought.com> Mon May 07 11:20:50 2012 +0100
committer: Mark Dickinson <mdickinson@enthought.com> Mon May 07 11:20:50 2012 +0100
tree: a5be0d6455e3f0eec37595061463ca7cda5aa29f
parent: 10ba07a39eadaedd74e291f9d8b6b7f5e5c8702f [diff] [blame]
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index bb0d786..129a5fc 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c

@@ -13933,7 +13933,7 @@
                     c = PyUnicode_READ(fmtkind, fmt, fmtpos++);
                     if (c < '0' || c > '9')
                         break;
-                    if ((width*10) / 10 != width) {
+                    if (width > (PY_SSIZE_T_MAX - (c - '0')) / 10) {
                         PyErr_SetString(PyExc_ValueError,
                                         "width too big");
                         goto onError;
@@ -13968,7 +13968,7 @@
                         c = PyUnicode_READ(fmtkind, fmt, fmtpos++);
                         if (c < '0' || c > '9')
                             break;
-                        if ((prec*10) / 10 != prec) {
+                        if (prec > (INT_MAX - (c - '0')) / 10) {
                             PyErr_SetString(PyExc_ValueError,
                                             "prec too big");
                             goto onError;
commit	99e2e5552ab6a105b188273658784963bb9a915c	[log] [tgz]
author	Mark Dickinson <mdickinson@enthought.com>	Mon May 07 11:20:50 2012 +0100
committer	Mark Dickinson <mdickinson@enthought.com>	Mon May 07 11:20:50 2012 +0100
tree	a5be0d6455e3f0eec37595061463ca7cda5aa29f
parent	10ba07a39eadaedd74e291f9d8b6b7f5e5c8702f [diff] [blame]