STINNER Victor added the comment: + size_t argsize = strlen(arg) + 1; + if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t)) + return NULL; + res = PyMem_Malloc(argsize*sizeof(wchar_t));
The code doesn't check for integer overflow on "+1". I suggest instead: + size_t arglen = strlen(arg); + if (arglen > PY_SSIZE_T_MAX / sizeof(wchar_t) - 1) + return NULL; + res = PyMem_Malloc((arglen + 1) * sizeof(wchar_t)); ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23165> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com