From: Benjamin Peterson <benjamin@python.org>
Date: Mon, 2 Mar 2015 16:17:05 +0000 (-0500)
Subject: fix possible overflow bugs in unicodedata (closes #23367)
X-Git-Tag: v2.7.10rc1~148
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b027c6cae0bf591d62348f555116f28e0c081880;p=thirdparty%2FPython%2Fcpython.git

fix possible overflow bugs in unicodedata (closes #23367)
---

diff --git a/Misc/NEWS b/Misc/NEWS
index be6896151a51..288a48433b58 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -50,6 +50,8 @@ Library
   posixpath.expandvars().  Fixed all os.path implementations on
   unicode-disabled builds.
 
+- Issue #23367: Fix possible overflows in the unicodedata module.
+
 - Issue #23363: Fix possible overflow in itertools.permutations.
 
 - Issue #23364: Fix possible overflow in itertools.product.
diff --git a/Modules/unicodedata.c b/Modules/unicodedata.c
index 6f9c7e8e8313..6b01fc7616b1 100644
--- a/Modules/unicodedata.c
+++ b/Modules/unicodedata.c
@@ -506,8 +506,15 @@ nfd_nfkd(PyObject *self, PyObject *input, int k)
 
     stackptr = 0;
     isize = PyUnicode_GET_SIZE(input);
+    space = isize;
     /* Overallocate at most 10 characters. */
-    space = (isize > 10 ? 10 : isize) + isize;
+    if (space > 10) {
+        if (space <= PY_SSIZE_T_MAX - 10)
+            space += 10;
+    }
+    else {
+        space *= 2;
+    }
     result = PyUnicode_FromUnicode(NULL, space);
     if (!result)
         return NULL;