From: Benjamin Peterson <benjamin@python.org>
Date: Sun, 14 Aug 2016 01:36:55 +0000 (-0700)
Subject: merge 3.3 (closes #27760)
X-Git-Tag: v3.4.6rc1~31
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5295532adb9d33970dd0f3370ab45c4e3bc3757c;p=thirdparty%2FPython%2Fcpython.git

merge 3.3 (closes #27760)
---

5295532adb9d33970dd0f3370ab45c4e3bc3757c
diff --cc Misc/NEWS
index ca80c73b3510,b2f081c83564..4e457f0c7688
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@@ -13,9 -13,24 +13,11 @@@ Core and Builtin
  Library
  -------
  
 +- In the curses module, raise an error if window.getstr() is passed a negative
 +  value.
 +
+ - Issue #27760: Fix possible integer overflow in binascii.b2a_qp.
+ 
  - Issue #27758: Fix possible integer overflow in the _csv module for large record
    lengths.
  
diff --cc Modules/binascii.c
index ea14d3c02748,829bde8c5f8d..c9309cedd7cf
--- a/Modules/binascii.c
+++ b/Modules/binascii.c
@@@ -1408,16 -1365,17 +1408,17 @@@ binascii_b2a_qp_impl(PyModuleDef *modul
      /* First, scan to see how many characters need to be encoded */
      in = 0;
      while (in < datalen) {
+         Py_ssize_t delta = 0;
 -        if ((data[in] > 126) ||
 -            (data[in] == '=') ||
 -            (header && data[in] == '_') ||
 -            ((data[in] == '.') && (linelen == 0) &&
 -             (data[in+1] == '\n' || data[in+1] == '\r' || data[in+1] == 0)) ||
 -            (!istext && ((data[in] == '\r') || (data[in] == '\n'))) ||
 -            ((data[in] == '\t' || data[in] == ' ') && (in + 1 == datalen)) ||
 -            ((data[in] < 33) &&
 -             (data[in] != '\r') && (data[in] != '\n') &&
 -             (quotetabs || ((data[in] != '\t') && (data[in] != ' ')))))
 +        if ((databuf[in] > 126) ||
 +            (databuf[in] == '=') ||
 +            (header && databuf[in] == '_') ||
 +            ((databuf[in] == '.') && (linelen == 0) &&
 +             (databuf[in+1] == '\n' || databuf[in+1] == '\r' || databuf[in+1] == 0)) ||
 +            (!istext && ((databuf[in] == '\r') || (databuf[in] == '\n'))) ||
 +            ((databuf[in] == '\t' || databuf[in] == ' ') && (in + 1 == datalen)) ||
 +            ((databuf[in] < 33) &&
 +             (databuf[in] != '\r') && (databuf[in] != '\n') &&
 +             (quotetabs || ((databuf[in] != '\t') && (databuf[in] != ' ')))))
          {
              if ((linelen + 3) >= MAXLINESIZE) {
                  linelen = 0;
@@@ -1438,13 -1396,13 +1439,13 @@@
              {
                  linelen = 0;
                  /* Protect against whitespace on end of line */
 -                if (in && ((data[in-1] == ' ') || (data[in-1] == '\t')))
 +                if (in && ((databuf[in-1] == ' ') || (databuf[in-1] == '\t')))
-                     odatalen += 2;
+                     delta += 2;
                  if (crlf)
-                     odatalen += 2;
+                     delta += 2;
                  else
-                     odatalen += 1;
+                     delta += 1;
 -                if (data[in] == '\r')
 +                if (databuf[in] == '\r')
                      in += 2;
                  else
                      in++;
@@@ -1464,6 -1422,12 +1465,11 @@@
                  in++;
              }
          }
+         if (PY_SSIZE_T_MAX - delta < odatalen) {
 -            PyBuffer_Release(&pdata);
+             PyErr_NoMemory();
+             return NULL;
+         }
+         odatalen += delta;
      }
  
      /* We allocate the output same size as input, this is overkill.