commit b779bfba458a8147cce44100cbc14ec304807197
author Benjamin Peterson <benjamin@python.org> Mon Mar 02 11:17:05 2015 -0500
committer Benjamin Peterson <benjamin@python.org> Mon Mar 02 11:17:05 2015 -0500
tree d933468ca1090f84495f8016645c5e820f081528
parent 03f8612562d509013c179c908815e78092a058ad

fix possible overflow bugs in unicodedata (closes #23367)

Modules/unicodedata.c

diff --git a/Modules/unicodedata.c b/Modules/unicodedata.c
index f4d3608..9fb1191 100644
--- a/Modules/unicodedata.c
+++ b/Modules/unicodedata.c
@@ -507,10 +507,17 @@
 
     stackptr = 0;
     isize = PyUnicode_GET_LENGTH(input);
+    space = isize;
     /* Overallocate at most 10 characters. */
-    space = (isize > 10 ? 10 : isize) + isize;
+    if (space > 10) {
+        if (space <= PY_SSIZE_T_MAX - 10)
+            space += 10;
+    }
+    else {
+        space *= 2;
+    }
     osize = space;
-    output = PyMem_Malloc(space * sizeof(Py_UCS4));
+    output = PyMem_NEW(Py_UCS4, space);
     if (!output) {
         PyErr_NoMemory();
         return NULL;
@@ -657,7 +664,7 @@
     /* We allocate a buffer for the output.
        If we find that we made no changes, we still return
        the NFD result. */
-    output = PyMem_Malloc(len * sizeof(Py_UCS4));
+    output = PyMem_NEW(Py_UCS4, len);
     if (!output) {
         PyErr_NoMemory();
         Py_DECREF(result);