STINNER Victor added the comment:
Benjamin, could you please first propose a patch for review instead of
commiting directly your change? Especially for security related changes.
+ if (length > PY_SSIZE_T_MAX / 3 ||
+ length > PY_SIZE_MAX / (3 * sizeof(Py_UCS4))) {
+ PyErr_SetString(PyExc_OverflowError, "string is too long");
+ return NULL;
+ }
tmp = PyMem_MALLOC(sizeof(Py_UCS4) * 3 * length);
PyMem_MALLOC() returns NULL if the length is larger than PY_SSIZE_T_MAX, so the
overflow check doesn't look correct. The overflow check can be replaced with:
if ((size_t)length > PY_SSIZE_T_MAX / (3 * sizeof(Py_UCS4))) ...
----------
resolution: fixed ->
status: closed -> open
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue22643>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
