From: Serhiy Storchaka <storchaka@gmail.com>
Date: Tue, 11 Jul 2017 03:55:25 +0000 (+0300)
Subject: bpo-22207: Add checks for possible integer overflows in unicodeobject.c. (#2623)
X-Git-Tag: v3.7.0a1~436
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=64e461b;p=thirdparty%2FPython%2Fcpython.git

bpo-22207: Add checks for possible integer overflows in unicodeobject.c. (#2623)

Based on patch by Victor Stinner.
---

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index e396d68d1209..0e6cb7f2a5e6 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -5478,13 +5478,12 @@ _PyUnicode_EncodeUTF32(PyObject *str,
         /* four bytes are reserved for each surrogate */
         if (moreunits > 1) {
             Py_ssize_t outpos = out - (uint32_t*) PyBytes_AS_STRING(v);
-            Py_ssize_t morebytes = 4 * (moreunits - 1);
-            if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) {
+            if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 4) {
                 /* integer overflow */
                 PyErr_NoMemory();
                 goto error;
             }
-            if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0)
+            if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 4 * (moreunits - 1)) < 0)
                 goto error;
             out = (uint32_t*) PyBytes_AS_STRING(v) + outpos;
         }
@@ -5830,13 +5829,12 @@ _PyUnicode_EncodeUTF16(PyObject *str,
         /* two bytes are reserved for each surrogate */
         if (moreunits > 1) {
             Py_ssize_t outpos = out - (unsigned short*) PyBytes_AS_STRING(v);
-            Py_ssize_t morebytes = 2 * (moreunits - 1);
-            if (PyBytes_GET_SIZE(v) > PY_SSIZE_T_MAX - morebytes) {
+            if (moreunits >= (PY_SSIZE_T_MAX - PyBytes_GET_SIZE(v)) / 2) {
                 /* integer overflow */
                 PyErr_NoMemory();
                 goto error;
             }
-            if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + morebytes) < 0)
+            if (_PyBytes_Resize(&v, PyBytes_GET_SIZE(v) + 2 * (moreunits - 1)) < 0)
                 goto error;
             out = (unsigned short*) PyBytes_AS_STRING(v) + outpos;
         }
@@ -6516,6 +6514,10 @@ _PyUnicode_DecodeUnicodeInternal(const char *s,
                      1))
         return NULL;
 
+    if (size < 0) {
+        PyErr_BadInternalCall();
+        return NULL;
+    }
     if (size == 0)
         _Py_RETURN_UNICODE_EMPTY();
 
@@ -7303,6 +7305,10 @@ decode_code_page_stateful(int code_page,
         PyErr_SetString(PyExc_ValueError, "invalid code page number");
         return NULL;
     }
+    if (size < 0) {
+        PyErr_BadInternalCall();
+        return NULL;
+    }
 
     if (consumed)
         *consumed = 0;