changeset: 93068:449b1f427cc7 branch: 3.3 parent: 93032:433d10b195f2 user: Benjamin Peterson date: Wed Oct 15 11:47:36 2014 -0400 files: Lib/test/test_unicode.py Misc/NEWS Objects/unicodeobject.c description: fix integer overflow in unicode case operations (closes #22643) diff -r 433d10b195f2 -r 449b1f427cc7 Lib/test/test_unicode.py --- a/Lib/test/test_unicode.py Mon Oct 13 11:54:50 2014 -0400 +++ b/Lib/test/test_unicode.py Wed Oct 15 11:47:36 2014 -0400 @@ -661,6 +661,11 @@ self.assertEqual('x'.center(4, '\U0010FFFF'), '\U0010FFFFx\U0010FFFF\U0010FFFF') + @unittest.skipUnless(sys.maxsize == 2**31 - 1, "requires 32-bit system") + def test_case_operation_overflow(self): + # Issue #22643 + self.assertRaises(OverflowError, ("ΓΌ"*(2**32//12 + 1)).upper) + def test_contains(self): # Testing Unicode contains method self.assertIn('a', 'abdb') diff -r 433d10b195f2 -r 449b1f427cc7 Misc/NEWS --- a/Misc/NEWS Mon Oct 13 11:54:50 2014 -0400 +++ b/Misc/NEWS Wed Oct 15 11:47:36 2014 -0400 @@ -10,6 +10,9 @@ Core and Builtins ----------------- +- Issue #22643: Fix integer overflow in Unicode case operations (upper, lower, + title, swapcase, casefold). + - Issue #22518: Fixed integer overflow issues in "backslashreplace", "xmlcharrefreplace", and "surrogatepass" error handlers. diff -r 433d10b195f2 -r 449b1f427cc7 Objects/unicodeobject.c --- a/Objects/unicodeobject.c Mon Oct 13 11:54:50 2014 -0400 +++ b/Objects/unicodeobject.c Wed Oct 15 11:47:36 2014 -0400 @@ -9484,6 +9484,11 @@ kind = PyUnicode_KIND(self); data = PyUnicode_DATA(self); length = PyUnicode_GET_LENGTH(self); + if (length > PY_SSIZE_T_MAX / 3 || + length > PY_SIZE_MAX / (3 * sizeof(Py_UCS4))) { + PyErr_SetString(PyExc_OverflowError, "string is too long"); + return NULL; + } tmp = PyMem_MALLOC(sizeof(Py_UCS4) * 3 * length); if (tmp == NULL) return PyErr_NoMemory();