From: Benjamin Peterson <benjamin@python.org>
Date: Tue, 10 Feb 2015 01:58:12 +0000 (-0500)
Subject: add overflow checking (closes #23361)
X-Git-Tag: v3.5.0a2~176^2^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8ce6806498be8aa8ae4bd3d3d83624766557ffad;p=thirdparty%2FPython%2Fcpython.git

add overflow checking (closes #23361)
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 5e1dbf04411e..7d1dfb82fe16 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #23361: Fix possible overflow in Windows subprocess creation code.
+
 - Issue #23363: Fix possible overflow in itertools.permutations.
 
 - Issue #23364: Fix possible overflow in itertools.product.
diff --git a/Modules/_winapi.c b/Modules/_winapi.c
index c53d55a535fe..5257a1e6152b 100644
--- a/Modules/_winapi.c
+++ b/Modules/_winapi.c
@@ -513,13 +513,23 @@ getenvironment(PyObject* environment)
                 "environment can only contain strings");
             goto error;
         }
+        if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(key) - 1) {
+            PyErr_SetString(PyExc_OverflowError, "environment too long");
+            goto error;
+        }
         totalsize += PyUnicode_GET_LENGTH(key) + 1;    /* +1 for '=' */
+        if (totalsize > PY_SSIZE_T_MAX - PyUnicode_GET_LENGTH(value) - 1) {
+            PyErr_SetString(PyExc_OverflowError, "environment too long");
+            goto error;
+        }
         totalsize += PyUnicode_GET_LENGTH(value) + 1;  /* +1 for '\0' */
     }
 
-    buffer = PyMem_Malloc(totalsize * sizeof(Py_UCS4));
-    if (! buffer)
+    buffer = PyMem_NEW(Py_UCS4, totalsize);
+    if (! buffer) {
+        PyErr_NoMemory();
         goto error;
+    }
     p = buffer;
     end = buffer + totalsize;