Commit 8ce68064 authored by Benjamin Peterson's avatar Benjamin Peterson

add overflow checking (closes #23361)

parent dee948b3
...@@ -16,6 +16,8 @@ Core and Builtins ...@@ -16,6 +16,8 @@ Core and Builtins
Library Library
------- -------
- Issue #23361: Fix possible overflow in Windows subprocess creation code.
- Issue #23363: Fix possible overflow in itertools.permutations. - Issue #23363: Fix possible overflow in itertools.permutations.
- Issue #23364: Fix possible overflow in itertools.product. - Issue #23364: Fix possible overflow in itertools.product.
......
...@@ -513,13 +513,23 @@ getenvironment(PyObject* environment) ...@@ -513,13 +513,23 @@ getenvironment(PyObject* environment)
"environment can only contain strings"); "environment can only contain strings");
goto error; goto error;
} }
if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(key) - 1) {
PyErr_SetString(PyExc_OverflowError, "environment too long");
goto error;
}
totalsize += PyUnicode_GET_LENGTH(key) + 1; /* +1 for '=' */ totalsize += PyUnicode_GET_LENGTH(key) + 1; /* +1 for '=' */
if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(value) - 1) {
PyErr_SetString(PyExc_OverflowError, "environment too long");
goto error;
}
totalsize += PyUnicode_GET_LENGTH(value) + 1; /* +1 for '\0' */ totalsize += PyUnicode_GET_LENGTH(value) + 1; /* +1 for '\0' */
} }
buffer = PyMem_Malloc(totalsize * sizeof(Py_UCS4)); buffer = PyMem_NEW(Py_UCS4, totalsize);
if (! buffer) if (! buffer) {
PyErr_NoMemory();
goto error; goto error;
}
p = buffer; p = buffer;
end = buffer + totalsize; end = buffer + totalsize;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment