mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-27 12:16:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Fix for bug 113934. string*n and unicode*n did no overflow checking at

Browse source 
all, either to see whether the # of chars fit in an int, or that the
amount of memory needed fit in a size_t.  Checking these is expensive, but
the alternative is silently wrong answers (as in the bug report) or
core dumps (which were easy to provoke using Unicode strings).
This commit is contained in:
Tim Peters 2000-09-09 06:13:41 +00:00
parent 643d76d735
commit 8f422461b4
2 changed files with 36 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

21
Objects/unicodeobject.c
View file

@ -3993,6 +3993,8 @@ unicode_repeat(PyUnicodeObject *str, int len)
{
PyUnicodeObject *u;
Py_UNICODE *p;
int nchars;
size_t nbytes;
if (len < 0)
len = 0;
@ -4002,8 +4004,23 @@ unicode_repeat(PyUnicodeObject *str, int len)
Py_INCREF(str);
return (PyObject*) str;
}
u = _PyUnicode_New(len * str->length);
/* ensure # of chars needed doesn't overflow int and # of bytes
* needed doesn't overflow size_t
*/
nchars = len * str->length;
if (len && nchars / len != str->length) {
PyErr_SetString(PyExc_OverflowError,
"repeated string is too long");
return NULL;
}
nbytes = (nchars + 1) * sizeof(Py_UNICODE);
if (nbytes / sizeof(Py_UNICODE) != (size_t)(nchars + 1)) {
PyErr_SetString(PyExc_OverflowError,
"repeated string is too long");
return NULL;
}
u = _PyUnicode_New(nchars);
if (!u)
return NULL;