From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001 From: Jay Bosamiya <jaybosamiya@gmail.com> Date: Sun, 18 Jun 2017 22:11:03 +0530 Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174) #--- # Misc/ACKS | 1 + # Misc/NEWS | 3 +++ # Objects/stringobject.c | 8 +++++++- # 3 files changed, 11 insertions(+), 1 deletion(-) # #diff --git a/Misc/ACKS b/Misc/ACKS #index 95be42717a0..a411bc5ffc8 100644 #--- a/Misc/ACKS #+++ b/Misc/ACKS #@@ -152,6 +152,7 @@ Gregory Bond # Matias Bordese # Jonas Borgström # Jurjen Bos #+Jay Bosamiya # Peter Bosch # Dan Boswell # Eric Bouck #diff --git a/Misc/NEWS b/Misc/NEWS #index b89f6ea62d8..62559edf837 100644 #--- a/Misc/NEWS #+++ b/Misc/NEWS #@@ -10,6 +10,9 @@ What's New in Python 2.7.14? # Core and Builtins # ----------------- # #+- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape. #+ Patch by Jay Bosamiya. #+ # - bpo-27945: Fixed various segfaults with dict when input collections are # mutated during searching, inserting or comparing. Based on patches by # Duane Griffin and Tim Mitchell. diff --git a/Objects/stringobject.c b/Objects/stringobject.c index c78e19316a0..59d22e76946 100644 --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s, char *p, *buf; const char *end; PyObject *v; - Py_ssize_t newlen = recode_encoding ? 4*len:len; + Py_ssize_t newlen; + /* Check for integer overflow */ + if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { + PyErr_SetString(PyExc_OverflowError, "string is too large"); + return NULL; + } + newlen = recode_encoding ? 4*len:len; v = PyString_FromStringAndSize((char *)NULL, newlen); if (v == NULL) return NULL;