From 8f422461b4c19b8a66beae218311917e688f03ce Mon Sep 17 00:00:00 2001 From: Tim Peters Date: Sat, 9 Sep 2000 06:13:41 +0000 Subject: Fix for bug 113934. string*n and unicode*n did no overflow checking at all, either to see whether the # of chars fit in an int, or that the amount of memory needed fit in a size_t. Checking these is expensive, but the alternative is silently wrong answers (as in the bug report) or core dumps (which were easy to provoke using Unicode strings). --- Objects/stringobject.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'Objects/stringobject.c') diff --git a/Objects/stringobject.c b/Objects/stringobject.c index f7c3f4b157..eee355173a 100644 --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -393,16 +393,31 @@ string_repeat(register PyStringObject *a, register int n) register int i; register int size; register PyStringObject *op; + size_t nbytes; if (n < 0) n = 0; + /* watch out for overflows: the size can overflow int, + * and the # of bytes needed can overflow size_t + */ size = a->ob_size * n; + if (n && size / n != a->ob_size) { + PyErr_SetString(PyExc_OverflowError, + "repeated string is too long"); + return NULL; + } if (size == a->ob_size) { Py_INCREF(a); return (PyObject *)a; } - /* PyObject_NewVar is inlined */ + nbytes = size * sizeof(char); + if (nbytes / sizeof(char) != (size_t)size || + nbytes + sizeof(PyStringObject) <= nbytes) { + PyErr_SetString(PyExc_OverflowError, + "repeated string is too long"); + return NULL; + } op = (PyStringObject *) - PyObject_MALLOC(sizeof(PyStringObject) + size * sizeof(char)); + PyObject_MALLOC(sizeof(PyStringObject) + nbytes); if (op == NULL) return PyErr_NoMemory(); PyObject_INIT_VAR(op, &PyString_Type, size); -- cgit v1.2.1