Fix a nasty endcase reported by Armin Rigo in SF bug 618623:

'%2147483647d' % -123 segfaults. This was because an integer overflow in a comparison caused the string resize to be skipped. After fixing the overflow, this could call _PyString_Resize() with a negative size, so I (1) test for that and raise MemoryError instead; (2) also added a test for negative newsize to _PyString_Resize(), raising SystemError as for all bad arguments. An identical bug existed in unicodeobject.c, of course. Will backport to 2.2.2.

Fix a nasty endcase reported by Armin Rigo in SF bug 618623:
'%2147483647d' % -123 segfaults. This was because an integer overflow in a comparison caused the string resize to be skipped. After fixing the overflow, this could call _PyString_Resize() with a negative size, so I (1) test for that and raise MemoryError instead; (2) also added a test for negative newsize to _PyString_Resize(), raising SystemError as for all bad arguments. An identical bug existed in unicodeobject.c, of course. Will backport to 2.2.2.
049cd6b5 · Guido van Rossum · f689b88e · 049cd6b5 · 049cd6b5
Commit 049cd6b5 authored Oct 11, 2002 by Guido van Rossum
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 4 deletions

Objects/stringobject.c Objects/stringobject.c +6 -2

Objects/unicodeobject.c Objects/unicodeobject.c +6 -2

No files found.
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -3319,7 +3319,7 @@ _PyString_Resize(PyObject **pv, int newsize)
 	register PyObject *v;
 	register PyStringObject *sv;
 	v = *pv;
-	if (!PyString_Check(v) || v->ob_refcnt != 1) {
+	if (!PyString_Check(v) || v->ob_refcnt != 1 || newsize < 0) {
 		*pv = 0;
 		Py_DECREF(v);
 		PyErr_BadInternalCall();
@@ -3959,10 +3959,14 @@ PyString_Format(PyObject *format, PyObject *args)
 			}
 			if (width < len)
 				width = len;
-			if (rescnt < width + (sign != 0)) {
+			if (rescnt - (sign != 0) < width) {
 				reslen -= rescnt;
 				rescnt = width + fmtcnt + 100;
 				reslen += rescnt;
+				if (reslen < 0) {
+					Py_DECREF(result);
+					return PyErr_NoMemory();
+				}
 				if (_PyString_Resize(&result, reslen) < 0)
 					return NULL;
 				res = PyString_AS_STRING(result)

--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -261,7 +261,7 @@ int PyUnicode_Resize(PyObject **unicode,
 	return -1;
    }
    v = (PyUnicodeObject *)*unicode;
-    if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1) {
+    if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1 || length < 0) {
 	PyErr_BadInternalCall();
 	return -1;
    }
@@ -6483,10 +6483,14 @@ PyObject *PyUnicode_Format(PyObject *format,
 	    }
 	    if (width < len)
 		width = len;
-	    if (rescnt < width + (sign != 0)) {
+	    if (rescnt - (sign != 0) < width) {
 		reslen -= rescnt;
 		rescnt = width + fmtcnt + 100;
 		reslen += rescnt;
+		if (reslen < 0) {
+		    Py_DECREF(result);
+		    return PyErr_NoMemory();
+		}
 		if (_PyUnicode_Resize(&result, reslen) < 0)
 		    return NULL;
 		res = PyUnicode_AS_UNICODE(result)