mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-29 21:25:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Issue #16096: Fix several occurrences of potential signed integer overflow. Thanks Serhiy Storchaka.

Browse source
This commit is contained in:
Mark Dickinson 2012-10-06 18:04:49 +01:00
parent a2028733ef
commit c04ddff290
7 changed files with 30 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

23
Objects/unicodeobject.c
View file

@ -4492,7 +4492,6 @@ _PyUnicode_EncodeUTF7(PyObject *str,
void *data;
Py_ssize_t len;
PyObject *v;
Py_ssize_t allocated;
int inShift = 0;
Py_ssize_t i;
unsigned int base64bits = 0;
@ -4510,11 +4509,9 @@ _PyUnicode_EncodeUTF7(PyObject *str,
return PyBytes_FromStringAndSize(NULL, 0);
/* It might be possible to tighten this worst case */
allocated = 8 * len;
if (allocated / 8 != len)
if (len > PY_SSIZE_T_MAX / 8)
return PyErr_NoMemory();
v = PyBytes_FromStringAndSize(NULL, allocated);
v = PyBytes_FromStringAndSize(NULL, len * 8);
if (v == NULL)
return NULL;
@ -5092,7 +5089,7 @@ _PyUnicode_EncodeUTF32(PyObject *str,
Py_ssize_t len;
PyObject *v;
unsigned char *p;
Py_ssize_t nsize, bytesize, i;
Py_ssize_t nsize, i;
/* Offsets from p for storing byte pairs in the right order. */
#ifdef BYTEORDER_IS_LITTLE_ENDIAN
int iorder[] = {0, 1, 2, 3};
@ -5120,10 +5117,9 @@ _PyUnicode_EncodeUTF32(PyObject *str,
len = PyUnicode_GET_LENGTH(str);
nsize = len + (byteorder == 0);
bytesize = nsize * 4;
if (bytesize / 4 != nsize)
if (nsize > PY_SSIZE_T_MAX / 4)
return PyErr_NoMemory();
v = PyBytes_FromStringAndSize(NULL, bytesize);
v = PyBytes_FromStringAndSize(NULL, nsize * 4);
if (v == NULL)
return NULL;
@ -10159,7 +10155,7 @@ replace(PyObject *self, PyObject *str1,
}
else {
Py_ssize_t n, i, j, ires;
Py_ssize_t product, new_size;
Py_ssize_t new_size;
int rkind = skind;
char *res;
@ -10191,19 +10187,18 @@ replace(PyObject *self, PyObject *str1,
}
/* new_size = PyUnicode_GET_LENGTH(self) + n * (PyUnicode_GET_LENGTH(str2) -
PyUnicode_GET_LENGTH(str1))); */
product = n * (len2-len1);
if ((product / (len2-len1)) != n) {
if (len2 > len1 && len2 - len1 > (PY_SSIZE_T_MAX - slen) / n) {
PyErr_SetString(PyExc_OverflowError,
"replace string is too long");
goto error;
}
new_size = slen + product;
new_size = slen + n * (len2 - len1);
if (new_size == 0) {
Py_INCREF(unicode_empty);
u = unicode_empty;
goto done;
}
if (new_size < 0 || new_size > (PY_SSIZE_T_MAX >> (rkind-1))) {
if (new_size > (PY_SSIZE_T_MAX >> (rkind-1))) {
PyErr_SetString(PyExc_OverflowError,
"replace string is too long");
goto error;