From: Benjamin Peterson <benjamin@python.org>
Date: Mon, 2 Mar 2015 16:17:05 +0000 (-0500)
Subject: fix possible overflow bugs in unicodedata (closes #23367)
X-Git-Tag: v3.5.0a2~45^2^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b779bfba458a8147cce44100cbc14ec304807197;p=thirdparty%2FPython%2Fcpython.git

fix possible overflow bugs in unicodedata (closes #23367)
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 7d1dfb82fe16..ae04f59ac24b 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #23367: Fix possible overflows in the unicodedata module.
+
 - Issue #23361: Fix possible overflow in Windows subprocess creation code.
 
 - Issue #23363: Fix possible overflow in itertools.permutations.
diff --git a/Modules/unicodedata.c b/Modules/unicodedata.c
index f4d3608750c5..9fb1191fc593 100644
--- a/Modules/unicodedata.c
+++ b/Modules/unicodedata.c
@@ -507,10 +507,17 @@ nfd_nfkd(PyObject *self, PyObject *input, int k)
 
     stackptr = 0;
     isize = PyUnicode_GET_LENGTH(input);
+    space = isize;
     /* Overallocate at most 10 characters. */
-    space = (isize > 10 ? 10 : isize) + isize;
+    if (space > 10) {
+        if (space <= PY_SSIZE_T_MAX - 10)
+            space += 10;
+    }
+    else {
+        space *= 2;
+    }
     osize = space;
-    output = PyMem_Malloc(space * sizeof(Py_UCS4));
+    output = PyMem_NEW(Py_UCS4, space);
     if (!output) {
         PyErr_NoMemory();
         return NULL;
@@ -657,7 +664,7 @@ nfc_nfkc(PyObject *self, PyObject *input, int k)
     /* We allocate a buffer for the output.
        If we find that we made no changes, we still return
        the NFD result. */
-    output = PyMem_Malloc(len * sizeof(Py_UCS4));
+    output = PyMem_NEW(Py_UCS4, len);
     if (!output) {
         PyErr_NoMemory();
         Py_DECREF(result);