changeset:   92636:d9cd11eda152
branch:      2.7
user:        Benjamin Peterson <benjamin@python.org>
date:        Mon Sep 29 19:01:18 2014 -0400
files:       Misc/NEWS Objects/stringobject.c
description:
fix overflow checking in PyString_Repr (closes #22519)


diff -r c55a75d4bcc7 -r d9cd11eda152 Misc/NEWS
--- a/Misc/NEWS	Mon Sep 29 18:55:02 2014 -0400
+++ b/Misc/NEWS	Mon Sep 29 19:01:18 2014 -0400
@@ -10,6 +10,8 @@
 Core and Builtins
 -----------------
 
+- Issue #22519: Fix overflow checking in PyString_Repr.
+
 - Issue #22518: Fix integer overflow issues in latin-1 encoding.
 
 - Issue #22379: Fix empty exception message in a TypeError raised in
diff -r c55a75d4bcc7 -r d9cd11eda152 Objects/stringobject.c
--- a/Objects/stringobject.c	Mon Sep 29 18:55:02 2014 -0400
+++ b/Objects/stringobject.c	Mon Sep 29 19:01:18 2014 -0400
@@ -926,13 +926,14 @@
 PyString_Repr(PyObject *obj, int smartquotes)
 {
     register PyStringObject* op = (PyStringObject*) obj;
-    size_t newsize = 2 + 4 * Py_SIZE(op);
+    size_t newsize;
     PyObject *v;
-    if (newsize > PY_SSIZE_T_MAX || newsize / 4 != Py_SIZE(op)) {
+    if (Py_SIZE(op) > (PY_SSIZE_T_MAX - 2)/4) {
         PyErr_SetString(PyExc_OverflowError,
             "string is too large to make repr");
         return NULL;
     }
+    newsize = 2 + 4*Py_SIZE(op);
     v = PyString_FromStringAndSize((char *)NULL, newsize);
     if (v == NULL) {
         return NULL;