Skip to content

C
cpython
Commit 64e461be authored by Serhiy Storchaka's avatar Serhiy Storchaka Committed by GitHub
Browse files
Options

bpo-22207: Add checks for possible integer overflows in unicodeobject.c. (#2623) 

Based on patch by Victor Stinner.
parent 1180e5a5
Show whitespace changes
Inline Side-by-side
Showing with 12 additions and 6 deletions
Objects/unicodeobject.c
View file @ 64e461be
...@@ -5478,13 +5478,12 @@ _PyUnicode_EncodeUTF32(PyObject *str, ...@@ -5478,13 +5478,12 @@ _PyUnicode_EncodeUTF32(PyObject *str,
/* four bytes are reserved for each surrogate */ /* four bytes are reserved for each surrogate */
if (moreunits > 1) { if (moreunits > 1) {
Py_ssize_t outpos = out - (uint32_t*) PyBytes_AS_STRING(v); Py_ssize_t outpos = out - (uint32_t*) PyBytes_AS_STRING(v);
Py_ssize_t morebytes = 4 * (moreunits - 1); if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 4) {
if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) {
/* integer overflow */ /* integer overflow */
PyErr_NoMemory(); PyErr_NoMemory();
goto error; goto error;
} }
if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0) if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 4 * (moreunits - 1)) < 0)
goto error; goto error;
out = (uint32_t*) PyBytes_AS_STRING(v) + outpos; out = (uint32_t*) PyBytes_AS_STRING(v) + outpos;
} }
...@@ -5830,13 +5829,12 @@ _PyUnicode_EncodeUTF16(PyObject *str, ...@@ -5830,13 +5829,12 @@ _PyUnicode_EncodeUTF16(PyObject *str,
/* two bytes are reserved for each surrogate */ /* two bytes are reserved for each surrogate */
if (moreunits > 1) { if (moreunits > 1) {
Py_ssize_t outpos = out - (unsigned short*) PyBytes_AS_STRING(v); Py_ssize_t outpos = out - (unsigned short*) PyBytes_AS_STRING(v);
Py_ssize_t morebytes = 2 * (moreunits - 1); if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 2) {
if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) {
/* integer overflow */ /* integer overflow */
PyErr_NoMemory(); PyErr_NoMemory();
goto error; goto error;
} }
if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0) if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 2 * (moreunits - 1)) < 0)
goto error; goto error;
out = (unsigned short*) PyBytes_AS_STRING(v) + outpos; out = (unsigned short*) PyBytes_AS_STRING(v) + outpos;
} }
...@@ -6516,6 +6514,10 @@ _PyUnicode_DecodeUnicodeInternal(const char *s, ...@@ -6516,6 +6514,10 @@ _PyUnicode_DecodeUnicodeInternal(const char *s,
1)) 1))
return NULL; return NULL;
if (size < 0) {
PyErr_BadInternalCall();
return NULL;
}
if (size == 0) if (size == 0)
_Py_RETURN_UNICODE_EMPTY(); _Py_RETURN_UNICODE_EMPTY();
...@@ -7303,6 +7305,10 @@ decode_code_page_stateful(int code_page, ...@@ -7303,6 +7305,10 @@ decode_code_page_stateful(int code_page,
PyErr_SetString(PyExc_ValueError, "invalid code page number"); PyErr_SetString(PyExc_ValueError, "invalid code page number");
return NULL; return NULL;
} }
if (size < 0) {
PyErr_BadInternalCall();
return NULL;
}
if (consumed) if (consumed)
*consumed = 0; *consumed = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7