changeset: 94018:1ce98e85929d branch: 3.2 parent: 93995:1806a00fd6b8 user: Benjamin Peterson date: Sun Jan 04 16:03:17 2015 -0600 files: Misc/NEWS Python/fileutils.c description: add some overflow checks before multiplying (closes #23165) diff -r 1806a00fd6b8 -r 1ce98e85929d Misc/NEWS --- a/Misc/NEWS Wed Dec 31 18:09:36 2014 -0600 +++ b/Misc/NEWS Sun Jan 04 16:03:17 2015 -0600 @@ -10,6 +10,9 @@ Core and Builtins ----------------- +- Issue #23165: Perform overflow checks before allocating memory in the + _Py_char2wchar function. + - Issue #19529: Fix a potential crash in converting Unicode objects to wchar_t when Py_UNICODE is 4 bytes but wchar_t is 2 bytes, for example on AIX. diff -r 1806a00fd6b8 -r 1ce98e85929d Python/fileutils.c --- a/Python/fileutils.c Wed Dec 31 18:09:36 2014 -0600 +++ b/Python/fileutils.c Sun Jan 04 16:03:17 2015 -0600 @@ -169,8 +169,11 @@ wchar_t *res; unsigned char *in; wchar_t *out; + size_t argsize = strlen(arg) + 1; - res = PyMem_Malloc((strlen(arg)+1)*sizeof(wchar_t)); + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + return NULL; + res = PyMem_Malloc(argsize*sizeof(wchar_t)); if (!res) return NULL; @@ -250,10 +253,15 @@ argsize = mbstowcs(NULL, arg, 0); #endif if (argsize != (size_t)-1) { - res = (wchar_t *)PyMem_Malloc((argsize+1)*sizeof(wchar_t)); + if (argsize == PY_SSIZE_T_MAX) + goto oom; + argsize += 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; + res = (wchar_t *)PyMem_Malloc(argsize*sizeof(wchar_t)); if (!res) goto oom; - count = mbstowcs(res, arg, argsize+1); + count = mbstowcs(res, arg, argsize); if (count != (size_t)-1) { wchar_t *tmp; /* Only use the result if it contains no @@ -276,6 +284,8 @@ /* Overallocate; as multi-byte characters are in the argument, the actual output could use less memory. */ argsize = strlen(arg) + 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; res = (wchar_t*)PyMem_Malloc(argsize*sizeof(wchar_t)); if (!res) goto oom;