From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Thu, 14 Apr 2022 01:38:55 +0000 (-0700) Subject: gh-91421: Use constant value check during runtime (GH-91422) (GH-91493) X-Git-Tag: archive/raspbian/3.9.2-1+rpi1+deb11u6~1^2~12 X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com//%22mailto:ematirov%40gmail.com/%22/%22http:/www.example.com/%22mailto:ematirov%40gmail.com/%22?a=commitdiff_plain;h=956158c9d560ff3d55dba14757e1e65d1a136bd3;p=python3.9.git gh-91421: Use constant value check during runtime (GH-91422) (GH-91493) The left-hand side expression of the if-check can be converted to a constant by the compiler, but the addition on the right-hand side is performed during runtime. Move the addition from the right-hand side to the left-hand side by turning it into a subtraction there. Since the values are known to be large enough to not turn negative, this is a safe operation. Prevents a very unlikely integer overflow on 32 bit systems. Fixes GH-91421. (cherry picked from commit 0859368335d470b9ff33fc53ed9a85ec2654b278) Co-authored-by: Tobias Stoeckmann Origin: upstream, https://github.com/python/cpython/commit/edf1a77f239069235f59103cfd8ce7f939c7fd10 Gbp-Pq: Name CVE-2025-4516-3.patch --- diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-04-10-22-57-27.gh-issue-91421.dHhv6U.rst b/Misc/NEWS.d/next/Core and Builtins/2022-04-10-22-57-27.gh-issue-91421.dHhv6U.rst new file mode 100644 index 0000000..898eb0d --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2022-04-10-22-57-27.gh-issue-91421.dHhv6U.rst @@ -0,0 +1 @@ +Fix a potential integer overflow in _Py_DecodeUTF8Ex. diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 77dee87..da82ab4 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -5175,7 +5175,7 @@ _Py_DecodeUTF8Ex(const char *s, Py_ssize_t size, wchar_t **wstr, size_t *wlen, /* Note: size will always be longer than the resulting Unicode character count */ - if (PY_SSIZE_T_MAX / (Py_ssize_t)sizeof(wchar_t) < (size + 1)) { + if (PY_SSIZE_T_MAX / (Py_ssize_t)sizeof(wchar_t) - 1 < size) { return -1; }