Backport stringobject.c 2.194 and unicodeobject.c 2.172:

Fix a nasty endcase reported by Armin Rigo in SF bug 618623:
'%2147483647d' % -123 segfaults.  This was because an integer overflow
in a comparison caused the string resize to be skipped.  After fixing
the overflow, this could call _PyString_Resize() with a negative size,
so I (1) test for that and raise MemoryError instead; (2) also added a
test for negative newsize to _PyString_Resize(), raising SystemError
as for all bad arguments.

An identical bug existed in unicodeobject.c, of course.

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index 8f7edaa70ed1566c48eddb8c1c05f2c7763a7836..bd416bf1c7e23c3146f649ee325aab33fa1adab4 100644 (file)
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -2988,7 +2988,7 @@ _PyString_Resize(PyObject **pv, int newsize)
        register PyObject *v;
        register PyStringObject *sv;
        v = *pv;
-       if (!PyString_Check(v) || v->ob_refcnt != 1) {
+       if (!PyString_Check(v) || v->ob_refcnt != 1 || newsize < 0) {
                *pv = 0;
                Py_DECREF(v);
                PyErr_BadInternalCall();
@@ -3600,10 +3600,14 @@ PyString_Format(PyObject *format, PyObject *args)
                        }
                        if (width < len)
                                width = len;
-                       if (rescnt < width + (sign != 0)) {
+                       if (rescnt - (sign != 0) < width) {
                                reslen -= rescnt;
                                rescnt = width + fmtcnt + 100;
                                reslen += rescnt;
+                               if (reslen < 0) {
+                                       Py_DECREF(result);
+                                       return PyErr_NoMemory();
+                               }
                                if (_PyString_Resize(&result, reslen) < 0)
                                        return NULL;
                                res = PyString_AS_STRING(result)

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index edee91e27e0bbf33e2e371640906dff7048e44f2..b11a69069813e71788b2b8c1233b1142ac421f80 100644 (file)
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -261,7 +261,7 @@ int PyUnicode_Resize(PyObject **unicode,
        return -1;
     }
     v = (PyUnicodeObject *)*unicode;
-    if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1) {
+    if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1 || length < 0) {
        PyErr_BadInternalCall();
        return -1;
     }
@@ -5731,10 +5731,14 @@ PyObject *PyUnicode_Format(PyObject *format,
            }
            if (width < len)
                width = len;
-           if (rescnt < width + (sign != 0)) {
+           if (rescnt - (sign != 0) < width) {
                reslen -= rescnt;
                rescnt = width + fmtcnt + 100;
                reslen += rescnt;
+               if (reslen < 0) {
+                   Py_DECREF(result);
+                   return PyErr_NoMemory();
+               }
                if (_PyUnicode_Resize(&result, reslen) < 0)
                    return NULL;
                res = PyUnicode_AS_UNICODE(result)