changeset: 94021:8c4fb312e15d parent: 94015:b96985753613 parent: 94020:d45e16b1ed86 user: Benjamin Peterson date: Sun Jan 04 16:06:14 2015 -0600 files: Misc/NEWS Python/fileutils.c description: merge 3.4 (#23165) diff -r b96985753613 -r 8c4fb312e15d Misc/NEWS --- a/Misc/NEWS Sun Jan 04 00:36:59 2015 -0800 +++ b/Misc/NEWS Sun Jan 04 16:06:14 2015 -0600 @@ -193,6 +193,9 @@ exception. In versions prior to 3.5, '#' with 'c' had no effect. Now specifying it is an error. Patch by Torsten Landschoff. +- Issue #23165: Perform overflow checks before allocating memory in the + _Py_char2wchar function. + Library ------- diff -r b96985753613 -r 8c4fb312e15d Python/fileutils.c --- a/Python/fileutils.c Sun Jan 04 00:36:59 2015 -0800 +++ b/Python/fileutils.c Sun Jan 04 16:06:14 2015 -0600 @@ -220,8 +220,11 @@ wchar_t *res; unsigned char *in; wchar_t *out; + size_t argsize = strlen(arg) + 1; - res = PyMem_RawMalloc((strlen(arg)+1)*sizeof(wchar_t)); + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + return NULL; + res = PyMem_RawMalloc(argsize*sizeof(wchar_t)); if (!res) return NULL; @@ -305,10 +308,15 @@ argsize = mbstowcs(NULL, arg, 0); #endif if (argsize != (size_t)-1) { - res = (wchar_t *)PyMem_RawMalloc((argsize+1)*sizeof(wchar_t)); + if (argsize == PY_SSIZE_T_MAX) + goto oom; + argsize += 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; + res = (wchar_t *)PyMem_RawMalloc(argsize*sizeof(wchar_t)); if (!res) goto oom; - count = mbstowcs(res, arg, argsize+1); + count = mbstowcs(res, arg, argsize); if (count != (size_t)-1) { wchar_t *tmp; /* Only use the result if it contains no @@ -331,6 +339,8 @@ /* Overallocate; as multi-byte characters are in the argument, the actual output could use less memory. */ argsize = strlen(arg) + 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; res = (wchar_t*)PyMem_RawMalloc(argsize*sizeof(wchar_t)); if (!res) goto oom;