From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001
From: Jay Bosamiya <jaybosamiya@gmail.com>
Date: Sun, 18 Jun 2017 22:11:03 +0530
Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in
 PyString_DecodeEscape (#2174)

#---
# Misc/ACKS              | 1 +
# Misc/NEWS              | 3 +++
# Objects/stringobject.c | 8 +++++++-
# 3 files changed, 11 insertions(+), 1 deletion(-)
#
#diff --git a/Misc/ACKS b/Misc/ACKS
#index 95be42717a0..a411bc5ffc8 100644
#--- a/Misc/ACKS
#+++ b/Misc/ACKS
#@@ -152,6 +152,7 @@ Gregory Bond
# Matias Bordese
# Jonas Borgström
# Jurjen Bos
#+Jay Bosamiya
# Peter Bosch
# Dan Boswell
# Eric Bouck
#diff --git a/Misc/NEWS b/Misc/NEWS
#index b89f6ea62d8..62559edf837 100644
#--- a/Misc/NEWS
#+++ b/Misc/NEWS
#@@ -10,6 +10,9 @@ What's New in Python 2.7.14?
# Core and Builtins
# -----------------
# 
#+- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape.
#+  Patch by Jay Bosamiya.
#+
# - bpo-27945: Fixed various segfaults with dict when input collections are
#   mutated during searching, inserting or comparing.  Based on patches by
#   Duane Griffin and Tim Mitchell.
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index c78e19316a0..59d22e76946 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,
     char *p, *buf;
     const char *end;
     PyObject *v;
-    Py_ssize_t newlen = recode_encoding ? 4*len:len;
+    Py_ssize_t newlen;
+    /* Check for integer overflow */
+    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+        PyErr_SetString(PyExc_OverflowError, "string is too large");
+        return NULL;
+    }
+    newlen = recode_encoding ? 4*len:len;
     v = PyString_FromStringAndSize((char *)NULL, newlen);
     if (v == NULL)
         return NULL;