From: Andrew M. Kuchling <amk@amk.ca>
Date: Tue, 3 Oct 2006 19:27:00 +0000 (+0000)
Subject: [Backport r50858 | neal.norwitz]
X-Git-Tag: v2.4.4c1~61
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc17b6f005a151b685361661e545f9e0caa1beb9;p=thirdparty%2FPython%2Fcpython.git

[Backport r50858 | neal.norwitz]

No functional change.  Add comment and assert to describe why there
cannot be overflow which was reported by Klocwork.  Discussed on
python-dev.
---

diff --git a/Modules/unicodedata.c b/Modules/unicodedata.c
index 85f5f5f9df57..2f97df1978f6 100644
--- a/Modules/unicodedata.c
+++ b/Modules/unicodedata.c
@@ -230,6 +230,7 @@ unicodedata_decomposition(PyObject *self, PyObject *args)
     PyUnicodeObject *v;
     char decomp[256];
     int code, index, count, i;
+    unsigned int prefix_index;
 
     if (!PyArg_ParseTuple(args, "O!:decomposition",
 			  &PyUnicode_Type, &v))
@@ -257,9 +258,15 @@ unicodedata_decomposition(PyObject *self, PyObject *args)
     /* XXX: could allocate the PyString up front instead
        (strlen(prefix) + 5 * count + 1 bytes) */
 
+    /* Based on how index is calculated above and decomp_data is generated
+       from Tools/unicode/makeunicodedata.py, it should not be possible
+       to overflow decomp_prefix. */
+    prefix_index = decomp_data[index] & 255;
+    assert(prefix_index < (sizeof(decomp_prefix)/sizeof(*decomp_prefix)));
+
     /* copy prefix */
-    i = strlen(decomp_prefix[decomp_data[index] & 255]);
-    memcpy(decomp, decomp_prefix[decomp_data[index] & 255], i);
+    i = strlen(decomp_prefix[prefix_index]);
+    memcpy(decomp, decomp_prefix[prefix_index], i);
 
     while (count-- > 0) {
         if (i)