changeset: 94020:d45e16b1ed86 branch: 3.4 parent: 94014:badb7e319ed0 parent: 94019:d1af6f3a8ce3 user: Benjamin Peterson date: Sun Jan 04 16:05:39 2015 -0600 files: Misc/NEWS Python/fileutils.c description: merge 3.3 (closes #23165) diff -r badb7e319ed0 -r d45e16b1ed86 Misc/NEWS --- a/Misc/NEWS Sun Jan 04 00:36:04 2015 -0800 +++ b/Misc/NEWS Sun Jan 04 16:05:39 2015 -0600 @@ -38,6 +38,9 @@ - Issue #22518: Fix integer overflow issues in latin-1 encoding. +- Issue #23165: Perform overflow checks before allocating memory in the + _Py_char2wchar function. + Library ------- diff -r badb7e319ed0 -r d45e16b1ed86 Python/fileutils.c --- a/Python/fileutils.c Sun Jan 04 00:36:04 2015 -0800 +++ b/Python/fileutils.c Sun Jan 04 16:05:39 2015 -0600 @@ -220,8 +220,11 @@ wchar_t *res; unsigned char *in; wchar_t *out; + size_t argsize = strlen(arg) + 1; - res = PyMem_RawMalloc((strlen(arg)+1)*sizeof(wchar_t)); + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + return NULL; + res = PyMem_RawMalloc(argsize*sizeof(wchar_t)); if (!res) return NULL; @@ -303,10 +306,15 @@ argsize = mbstowcs(NULL, arg, 0); #endif if (argsize != (size_t)-1) { - res = (wchar_t *)PyMem_RawMalloc((argsize+1)*sizeof(wchar_t)); + if (argsize == PY_SSIZE_T_MAX) + goto oom; + argsize += 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; + res = (wchar_t *)PyMem_RawMalloc(argsize*sizeof(wchar_t)); if (!res) goto oom; - count = mbstowcs(res, arg, argsize+1); + count = mbstowcs(res, arg, argsize); if (count != (size_t)-1) { wchar_t *tmp; /* Only use the result if it contains no @@ -329,6 +337,8 @@ /* Overallocate; as multi-byte characters are in the argument, the actual output could use less memory. */ argsize = strlen(arg) + 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + goto oom; res = (wchar_t*)PyMem_RawMalloc(argsize*sizeof(wchar_t)); if (!res) goto oom;