Backported of: From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001 From: Jay Bosamiya <jaybosamiya@gmail.com> Date: Sun, 18 Jun 2017 22:11:03 +0530 Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape/PyBytes_DecodeEscape (#2174) Index: python3.5-3.5.3/Objects/bytesobject.c =================================================================== --- python3.5-3.5.3.orig/Objects/bytesobject.c +++ python3.5-3.5.3/Objects/bytesobject.c @@ -970,7 +970,13 @@ PyObject *PyBytes_DecodeEscape(const cha char *p, *buf; const char *end; PyObject *v; - Py_ssize_t newlen = recode_encoding ? 4*len:len; + Py_ssize_t newlen; + /* Check for integer overflow */ + if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { + PyErr_SetString(PyExc_OverflowError, "string is too large"); + return NULL; + } + newlen = recode_encoding ? 4*len:len; v = PyBytes_FromStringAndSize((char *)NULL, newlen); if (v == NULL) return NULL;