From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001

From: Jay Bosamiya <jaybosamiya@gmail.com>

Date: Sun, 18 Jun 2017 22:11:03 +0530

Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in

 PyString_DecodeEscape (#2174)

diff --git a/Objects/stringobject.c b/Objects/stringobject.c

index c78e19316a0..59d22e76946 100644

--- a/Objects/stringobject.c

+++ b/Objects/stringobject.c

@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,

     char *p, *buf;

     const char *end;

     PyObject *v;

-    Py_ssize_t newlen = recode_encoding ? 4*len:len;

+    Py_ssize_t newlen;

+    /* Check for integer overflow */

+    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {

+        PyErr_SetString(PyExc_OverflowError, "string is too large");

+        return NULL;

+    }

+    newlen = recode_encoding ? 4*len:len;

     v = PyString_FromStringAndSize((char *)NULL, newlen);

     if (v == NULL)

         return NULL;