changeset: 94019:d1af6f3a8ce3 branch: 3.3 parent: 93996:3b202cc79a38 parent: 94018:1ce98e85929d user: Benjamin Peterson date: Sun Jan 04 16:03:59 2015 -0600 files: Misc/NEWS Python/fileutils.c description: merge 3.2 (closes #23165) diff -r 3b202cc79a38 -r d1af6f3a8ce3 Misc/NEWS --- a/Misc/NEWS Wed Dec 31 18:10:13 2014 -0600 +++ b/Misc/NEWS Sun Jan 04 16:03:59 2015 -0600 @@ -23,6 +23,9 @@ - Issue #22518: Fix integer overflow issues in latin-1 encoding. +- Issue #23165: Perform overflow checks before allocating memory in the + _Py_char2wchar function. + Library ------- diff -r 3b202cc79a38 -r d1af6f3a8ce3 Python/fileutils.c --- a/Python/fileutils.c Wed Dec 31 18:10:13 2014 -0600 +++ b/Python/fileutils.c Sun Jan 04 16:03:59 2015 -0600 @@ -201,8 +201,11 @@ wchar_t *res; unsigned char *in; wchar_t *out; + size_t argsize = strlen(arg) + 1; - res = PyMem_Malloc((strlen(arg)+1)*sizeof(wchar_t)); + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + return NULL; + res = PyMem_Malloc(argsize*sizeof(wchar_t)); if (!res) return NULL; @@ -284,10 +287,15 @@ argsize = mbstowcs(NULL, arg, 0); #endif if (argsize != (size_t)-1) { - res = (wchar_t *)PyMem_Malloc((argsize+1)*sizeof(wchar_t)); + if (argsize == PY_SSIZE_T_MAX) + goto oom; + argsize += 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; + res = (wchar_t *)PyMem_Malloc(argsize*sizeof(wchar_t)); if (!res) goto oom; - count = mbstowcs(res, arg, argsize+1); + count = mbstowcs(res, arg, argsize); if (count != (size_t)-1) { wchar_t *tmp; /* Only use the result if it contains no @@ -310,6 +318,8 @@ /* Overallocate; as multi-byte characters are in the argument, the actual output could use less memory. */ argsize = strlen(arg) + 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; res = (wchar_t*)PyMem_Malloc(argsize*sizeof(wchar_t)); if (!res) goto oom;