commit 4f3be8a0a908784f4ab5fec66439643f2c1d79eb
author Neal Norwitz <nnorwitz@gmail.com> Thu Jul 31 17:08:14 2008 +0000
committer Neal Norwitz <nnorwitz@gmail.com> Thu Jul 31 17:08:14 2008 +0000
tree 0d7f0d95099fd0b5e93e2f994a3fc0db6b682b29
parent 83ac0144fa3041556aa4f3952ebd979e0189a19c

Security patches from Apple:  prevent int overflow when allocating memory

Objects/stringobject.c

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index 3901f57..60d3e8a 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -75,6 +75,11 @@
 		return (PyObject *)op;
 	}
 
+	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+		PyErr_SetString(PyExc_OverflowError, "string is too large");
+		return NULL;
+	}
+
 	/* Inline PyObject_NewVar */
 	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
 	if (op == NULL)
@@ -110,7 +115,7 @@
 
 	assert(str != NULL);
 	size = strlen(str);
-	if (size > PY_SSIZE_T_MAX) {
+	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
 		PyErr_SetString(PyExc_OverflowError,
 			"string is too long for a Python string");
 		return NULL;
@@ -971,14 +976,24 @@
 		Py_INCREF(a);
 		return (PyObject *)a;
 	}
+	/* Check that string sizes are not negative, to prevent an
+	   overflow in cases where we are passed incorrectly-created
+	   strings with negative lengths (due to a bug in other code).
+	*/
 	size = a->ob_size + b->ob_size;
-	if (size < 0) {
+	if (a->ob_size < 0 || b->ob_size < 0 ||
+	    a->ob_size > PY_SSIZE_T_MAX - b->ob_size) {
 		PyErr_SetString(PyExc_OverflowError,
 				"strings are too large to concat");
 		return NULL;
 	}
 	  
 	/* Inline PyObject_NewVar */
+	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+		PyErr_SetString(PyExc_OverflowError,
+				"strings are too large to concat");
+		return NULL;
+	}
 	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
 	if (op == NULL)
 		return PyErr_NoMemory();