changeset:   94576:76170e33f251
parent:      94573:e548ab4ce71d
parent:      94575:b82cc9180a78
user:        Benjamin Peterson <benjamin@python.org>
date:        Mon Feb 09 21:00:00 2015 -0500
files:       Misc/NEWS Modules/_winapi.c
description:
merge 3.4 (#23361)


diff -r e548ab4ce71d -r 76170e33f251 Misc/NEWS
--- a/Misc/NEWS	Mon Feb 09 19:49:00 2015 +0000
+++ b/Misc/NEWS	Mon Feb 09 21:00:00 2015 -0500
@@ -13,6 +13,8 @@
 Library
 -------
 
+- Issue #23361: Fix possible overflow in Windows subprocess creation code.
+
 - logging.handlers.QueueListener now takes a respect_handler_level keyword
   argument which, if set to True, will pass messages to handlers taking handler
   levels into account.
diff -r e548ab4ce71d -r 76170e33f251 Modules/_winapi.c
--- a/Modules/_winapi.c	Mon Feb 09 19:49:00 2015 +0000
+++ b/Modules/_winapi.c	Mon Feb 09 21:00:00 2015 -0500
@@ -670,13 +670,23 @@
                 "environment can only contain strings");
             goto error;
         }
+        if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(key) - 1) {
+            PyErr_SetString(PyExc_OverflowError, "environment too long");
+            goto error;
+        }
         totalsize += PyUnicode_GET_LENGTH(key) + 1;    /* +1 for '=' */
+        if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(value) - 1) {
+            PyErr_SetString(PyExc_OverflowError, "environment too long");
+            goto error;
+        }
         totalsize += PyUnicode_GET_LENGTH(value) + 1;  /* +1 for '\0' */
     }
 
-    buffer = PyMem_Malloc(totalsize * sizeof(Py_UCS4));
-    if (! buffer)
+    buffer = PyMem_NEW(Py_UCS4, totalsize);
+    if (! buffer) {
+        PyErr_NoMemory();
         goto error;
+    }
     p = buffer;
     end = buffer + totalsize;