Added checks for integer overflows, contributed by Google. Some are only available if asserts are left in the code, in cases where they can't be triggered from Python code.

commit: 73c01d410117a573731e6c2afc9694005f8d11aa [log] [tgz]
author: Martin v. Löwis <martin@v.loewis.de> Thu Feb 14 11:26:18 2008 +0000
committer: Martin v. Löwis <martin@v.loewis.de> Thu Feb 14 11:26:18 2008 +0000
tree: c0cb9e868b2cb57d9ebd5685d0054b551a33e889
parent: abcb59a1d87c6121db913ce56c9f91fd43f33916 [diff] [blame]
diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c
index 86515ab..88c0e41 100644
--- a/Objects/bufferobject.c
+++ b/Objects/bufferobject.c

@@ -207,7 +207,10 @@
 				"size must be zero or positive");
 		return NULL;
 	}
-	/* XXX: check for overflow in multiply */
+	if (sizeof(*b) > PY_SSIZE_T_MAX - size) {
+		/* unlikely */
+		return PyErr_NoMemory();
+	}
 	/* Inline PyObject_New */
 	o = (PyObject *)PyObject_MALLOC(sizeof(*b) + size);
 	if ( o == NULL )
@@ -397,6 +400,8 @@
 	if ( (count = (*pb->bf_getreadbuffer)(other, 0, &ptr2)) < 0 )
 		return NULL;
 
+	assert(count <= PY_SIZE_MAX - size);
+
  	ob = PyString_FromStringAndSize(NULL, size + count);
 	if ( ob == NULL )
 		return NULL;
commit	73c01d410117a573731e6c2afc9694005f8d11aa	[log] [tgz]
author	Martin v. Löwis <martin@v.loewis.de>	Thu Feb 14 11:26:18 2008 +0000
committer	Martin v. Löwis <martin@v.loewis.de>	Thu Feb 14 11:26:18 2008 +0000
tree	c0cb9e868b2cb57d9ebd5685d0054b551a33e889
parent	abcb59a1d87c6121db913ce56c9f91fd43f33916 [diff] [blame]