fix possible overflow bugs in unicodedata (closes #23367)

benjaminp · benjaminp · commit b779bfba458a · 2015-03-02T11:17:05.000-05:00
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -16,6 +16,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #23367: Fix possible overflows in the unicodedata module.
+
 - Issue #23361: Fix possible overflow in Windows subprocess creation code.
 
 - Issue #23363: Fix possible overflow in itertools.permutations.
diff --git a/Modules/unicodedata.c b/Modules/unicodedata.c
@@ -507,10 +507,17 @@ nfd_nfkd(PyObject *self, PyObject *input, int k)
 
     stackptr = 0;
     isize = PyUnicode_GET_LENGTH(input);
+    space = isize;
     /* Overallocate at most 10 characters. */
-    space = (isize > 10 ? 10 : isize) + isize;
+    if (space > 10) {
+        if (space <= PY_SSIZE_T_MAX - 10)
+            space += 10;
+    }
+    else {
+        space *= 2;
+    }
     osize = space;
-    output = PyMem_Malloc(space * sizeof(Py_UCS4));
+    output = PyMem_NEW(Py_UCS4, space);
     if (!output) {
         PyErr_NoMemory();
         return NULL;
@@ -657,7 +664,7 @@ nfc_nfkc(PyObject *self, PyObject *input, int k)
     /* We allocate a buffer for the output.
        If we find that we made no changes, we still return
        the NFD result. */
-    output = PyMem_Malloc(len * sizeof(Py_UCS4));
+    output = PyMem_NEW(Py_UCS4, len);
     if (!output) {
         PyErr_NoMemory();
         Py_DECREF(result);
