changeset:   102636:fdae903db33a
branch:      2.7
user:        Benjamin Peterson <benjamin@python.org>
date:        Sat Aug 13 17:17:06 2016 -0700
files:       Misc/NEWS Modules/_csv.c
description:
check for overflow in join_append_data (closes #27758)

Reported by Thomas E. Hybel


diff -r 6fa0ebfdc136 -r fdae903db33a Misc/NEWS
--- a/Misc/NEWS	Sat Aug 13 16:47:25 2016 -0700
+++ b/Misc/NEWS	Sat Aug 13 17:17:06 2016 -0700
@@ -29,6 +29,9 @@
 Library
 -------
 
+- Issue #27758: Fix possible integer overflow in the _csv module for large record
+  lengths.
+
 - Issue #23369: Fixed possible integer overflow in
   _json.encode_basestring_ascii.
 
diff -r 6fa0ebfdc136 -r fdae903db33a Modules/_csv.c
--- a/Modules/_csv.c	Sat Aug 13 16:47:25 2016 -0700
+++ b/Modules/_csv.c	Sat Aug 13 17:17:06 2016 -0700
@@ -985,11 +985,19 @@
     int i, rec_len;
     char *lineterm;
 
-#define ADDCH(c) \
+#define INCLEN \
+    do {\
+        if (!copy_phase && rec_len == INT_MAX) { \
+            goto overflow; \
+        } \
+        rec_len++; \
+    } while(0)
+
+#define ADDCH(c)                                \
     do {\
         if (copy_phase) \
             self->rec[rec_len] = c;\
-        rec_len++;\
+        INCLEN;\
     } while(0)
 
     lineterm = PyString_AsString(dialect->lineterminator);
@@ -1059,11 +1067,18 @@
     if (*quoted) {
         if (copy_phase)
             ADDCH(dialect->quotechar);
-        else
-            rec_len += 2;
+        else {
+            INCLEN; /* starting quote */
+            INCLEN; /* ending quote */
+        }
     }
     return rec_len;
+
+  overflow:
+    PyErr_NoMemory();
+    return -1;
 #undef ADDCH
+#undef INCLEN
 }
 
 static int