Issue #14700: Fix two broken and undefined-behaviour-inducing overflow checks in old-style string formatting. Thanks Serhiy Storchaka for report and original patch.

2025-07-15 15:25:29 +00:00 · 2012-05-07 11:20:50 +01:00 · 2012-05-07 11:20:50 +01:00 · 99e2e5552a
commit 99e2e5552a
parent 10ba07a39e
3 changed files with 9 additions and 2 deletions
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@ -13933,7 +13933,7 @@ PyUnicode_Format(PyObject *format, PyObject *args)
                    c = PyUnicode_READ(fmtkind, fmt, fmtpos++);
                    if (c < '0' || c > '9')
                        break;
-                    if ((width*10) / 10 != width) {
+                    if (width > (PY_SSIZE_T_MAX - (c - '0')) / 10) {
                        PyErr_SetString(PyExc_ValueError,
                                        "width too big");
                        goto onError;
@ -13968,7 +13968,7 @@ PyUnicode_Format(PyObject *format, PyObject *args)
                        c = PyUnicode_READ(fmtkind, fmt, fmtpos++);
                        if (c < '0' || c > '9')
                            break;
-                        if ((prec*10) / 10 != prec) {
+                        if (prec > (INT_MAX - (c - '0')) / 10) {
                            PyErr_SetString(PyExc_ValueError,
                                            "prec too big");
                            goto onError;