changeset: 102645:af42635b5ed1 branch: 2.7 parent: 102641:1ab60d0686df user: Benjamin Peterson date: Sat Aug 13 18:33:33 2016 -0700 files: Misc/NEWS Modules/binascii.c description: fix possible integer overflow in binascii.b2a_qp (closes #27760) Reported by Thomas E. Hybel diff -r 1ab60d0686df -r af42635b5ed1 Misc/NEWS --- a/Misc/NEWS Sat Aug 13 18:15:28 2016 -0700 +++ b/Misc/NEWS Sat Aug 13 18:33:33 2016 -0700 @@ -29,6 +29,8 @@ Library ------- +- Issue #27760: Fix possible integer overflow in binascii.b2a_qp. + - In the curses module, raise an error if window.getstr() is passed a negative value. diff -r 1ab60d0686df -r af42635b5ed1 Modules/binascii.c --- a/Modules/binascii.c Sat Aug 13 18:15:28 2016 -0700 +++ b/Modules/binascii.c Sat Aug 13 18:33:33 2016 -0700 @@ -1316,6 +1316,7 @@ /* First, scan to see how many characters need to be encoded */ in = 0; while (in < datalen) { + Py_ssize_t delta = 0; if ((data[in] > 126) || (data[in] == '=') || (header && data[in] == '_') || @@ -1331,12 +1332,12 @@ if ((linelen + 3) >= MAXLINESIZE) { linelen = 0; if (crlf) - odatalen += 3; + delta += 3; else - odatalen += 2; + delta += 2; } linelen += 3; - odatalen += 3; + delta += 3; in++; } else { @@ -1348,11 +1349,11 @@ linelen = 0; /* Protect against whitespace on end of line */ if (in && ((data[in-1] == ' ') || (data[in-1] == '\t'))) - odatalen += 2; + delta += 2; if (crlf) - odatalen += 2; + delta += 2; else - odatalen += 1; + delta += 1; if (data[in] == '\r') in += 2; else @@ -1364,15 +1365,21 @@ (linelen + 1) >= MAXLINESIZE) { linelen = 0; if (crlf) - odatalen += 3; + delta += 3; else - odatalen += 2; + delta += 2; } linelen++; - odatalen++; + delta++; in++; } } + if (PY_SSIZE_T_MAX - delta < odatalen) { + PyBuffer_Release(&pdata); + PyErr_NoMemory(); + return NULL; + } + odatalen += delta; } /* We allocate the output same size as input, this is overkill.