From e04c1bbd50a259a17b5f25e63871ffab577304e1 Mon Sep 17 00:00:00 2001
From: Guido van Rossum <guido@python.org>
Date: Fri, 11 Oct 2002 00:43:48 +0000
Subject: Fix a nasty endcase reported by Armin Rigo in SF bug 618623:
 '%2147483647d' % -123 segfaults.  This was because an integer overflow in a
 comparison caused the string resize to be skipped.  After fixing the
 overflow, this could call _PyString_Resize() with a negative size, so I (1)
 test for that and raise MemoryError instead; (2) also added a test for
 negative newsize to _PyString_Resize(), raising SystemError as for all bad
 arguments.

An identical bug existed in unicodeobject.c, of course.

Will backport to 2.2.2.
---
 Objects/stringobject.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'Objects/stringobject.c')

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index 6a9450a21d..5c5b6aea9e 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -3319,7 +3319,7 @@ _PyString_Resize(PyObject **pv, int newsize)
 	register PyObject *v;
 	register PyStringObject *sv;
 	v = *pv;
-	if (!PyString_Check(v) || v->ob_refcnt != 1) {
+	if (!PyString_Check(v) || v->ob_refcnt != 1 || newsize < 0) {
 		*pv = 0;
 		Py_DECREF(v);
 		PyErr_BadInternalCall();
@@ -3959,10 +3959,14 @@ PyString_Format(PyObject *format, PyObject *args)
 			}
 			if (width < len)
 				width = len;
-			if (rescnt < width + (sign != 0)) {
+			if (rescnt - (sign != 0) < width) {
 				reslen -= rescnt;
 				rescnt = width + fmtcnt + 100;
 				reslen += rescnt;
+				if (reslen < 0) {
+					Py_DECREF(result);
+					return PyErr_NoMemory();
+				}
 				if (_PyString_Resize(&result, reslen) < 0)
 					return NULL;
 				res = PyString_AS_STRING(result)
-- 
cgit v1.2.1