From 06cfb0cd7037795cc7dca2729a241ed2a1fb1628 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sun, 10 Jul 2016 20:48:43 +0300
Subject: Issue #27473: Fixed possible integer overflow in bytes and bytearray
 concatenations.  Patch by Xiang Zhang.

---
 Objects/bytesobject.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'Objects/bytesobject.c')

diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index c2aa65c3bc..5934336f89 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -1265,7 +1265,6 @@ bytes_length(PyBytesObject *a)
 static PyObject *
 bytes_concat(PyObject *a, PyObject *b)
 {
-    Py_ssize_t size;
     Py_buffer va, vb;
     PyObject *result = NULL;
 
@@ -1290,13 +1289,12 @@ bytes_concat(PyObject *a, PyObject *b)
         goto done;
     }
 
-    size = va.len + vb.len;
-    if (size < 0) {
+    if (va.len > PY_SSIZE_T_MAX - vb.len) {
         PyErr_NoMemory();
         goto done;
     }
 
-    result = PyBytes_FromStringAndSize(NULL, size);
+    result = PyBytes_FromStringAndSize(NULL, va.len + vb.len);
     if (result != NULL) {
         memcpy(PyBytes_AS_STRING(result), va.buf, va.len);
         memcpy(PyBytes_AS_STRING(result) + va.len, vb.buf, vb.len);
-- 
cgit v1.2.1