From 3147bf358061a302e5fd6bfbe95eabce8dc76cc2 Mon Sep 17 00:00:00 2001 From: Jay Bosamiya Date: Wed, 14 Jun 2017 01:37:36 +0530 Subject: [PATCH 1/2] [2.7] bpo-30657: Check & prevent integer overflow Checks and prevents possible integer overflow in PyString_DecodeEscape --- Objects/stringobject.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Objects/stringobject.c b/Objects/stringobject.c index c78e19316a06ac..59d22e76946bb2 100644 --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s, char *p, *buf; const char *end; PyObject *v; - Py_ssize_t newlen = recode_encoding ? 4*len:len; + Py_ssize_t newlen; + /* Check for integer overflow */ + if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { + PyErr_SetString(PyExc_OverflowError, "string is too large"); + return NULL; + } + newlen = recode_encoding ? 4*len:len; v = PyString_FromStringAndSize((char *)NULL, newlen); if (v == NULL) return NULL; From 1c2659d0bf4194b4bf0f2b9ba996316e5b33a7e7 Mon Sep 17 00:00:00 2001 From: Jay Bosamiya Date: Sun, 18 Jun 2017 22:01:50 +0530 Subject: [PATCH 2/2] Add entry to Misc/NEWS and name to Misc/ACKS --- Misc/ACKS | 1 + Misc/NEWS | 3 +++ 2 files changed, 4 insertions(+) diff --git a/Misc/ACKS b/Misc/ACKS index 95be42717a0c09..a411bc5ffc8f72 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -152,6 +152,7 @@ Gregory Bond Matias Bordese Jonas Borgström Jurjen Bos +Jay Bosamiya Peter Bosch Dan Boswell Eric Bouck diff --git a/Misc/NEWS b/Misc/NEWS index 5f75841347a806..3e8573d9042d92 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ What's New in Python 2.7.14? Core and Builtins ----------------- +- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape. + Patch by Jay Bosamiya. + - bpo-27945: Fixed various segfaults with dict when input collections are mutated during searching, inserting or comparing. Based on patches by Duane Griffin and Tim Mitchell.