Skip to content

Commit 049cd6b

Browse files
gvanrossumgvanrossum
committed
Fix a nasty endcase reported by Armin Rigo in SF bug 618623:
'%2147483647d' % -123 segfaults. This was because an integer overflow in a comparison caused the string resize to be skipped. After fixing the overflow, this could call _PyString_Resize() with a negative size, so I (1) test for that and raise MemoryError instead; (2) also added a test for negative newsize to _PyString_Resize(), raising SystemError as for all bad arguments. An identical bug existed in unicodeobject.c, of course. Will backport to 2.2.2.
1 parent f689b88 commit 049cd6b

2 files changed

Lines changed: 12 additions & 4 deletions

File tree

Objects/stringobject.c

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3319,7 +3319,7 @@ _PyString_Resize(PyObject **pv, int newsize)
33193319
register PyObject *v;
33203320
register PyStringObject *sv;
33213321
v = *pv;
3322-
if (!PyString_Check(v) || v->ob_refcnt != 1) {
3322+
if (!PyString_Check(v) || v->ob_refcnt != 1 || newsize < 0) {
33233323
*pv = 0;
33243324
Py_DECREF(v);
33253325
PyErr_BadInternalCall();
@@ -3959,10 +3959,14 @@ PyString_Format(PyObject *format, PyObject *args)
39593959
}
39603960
if (width < len)
39613961
width = len;
3962-
if (rescnt < width + (sign != 0)) {
3962+
if (rescnt - (sign != 0) < width) {
39633963
reslen -= rescnt;
39643964
rescnt = width + fmtcnt + 100;
39653965
reslen += rescnt;
3966+
if (reslen < 0) {
3967+
Py_DECREF(result);
3968+
return PyErr_NoMemory();
3969+
}
39663970
if (_PyString_Resize(&result, reslen) < 0)
39673971
return NULL;
39683972
res = PyString_AS_STRING(result)

Objects/unicodeobject.c

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -261,7 +261,7 @@ int PyUnicode_Resize(PyObject **unicode,
261261
return -1;
262262
}
263263
v = (PyUnicodeObject *)*unicode;
264-
if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1) {
264+
if (v == NULL || !PyUnicode_Check(v) || v->ob_refcnt != 1 || length < 0) {
265265
PyErr_BadInternalCall();
266266
return -1;
267267
}
@@ -6483,10 +6483,14 @@ PyObject *PyUnicode_Format(PyObject *format,
64836483
}
64846484
if (width < len)
64856485
width = len;
6486-
if (rescnt < width + (sign != 0)) {
6486+
if (rescnt - (sign != 0) < width) {
64876487
reslen -= rescnt;
64886488
rescnt = width + fmtcnt + 100;
64896489
reslen += rescnt;
6490+
if (reslen < 0) {
6491+
Py_DECREF(result);
6492+
return PyErr_NoMemory();
6493+
}
64906494
if (_PyUnicode_Resize(&result, reslen) < 0)
64916495
return NULL;
64926496
res = PyUnicode_AS_UNICODE(result)

0 commit comments

Comments
 (0)