commit c04ddff290fc203d05b75c8569b748525fb76b5b
author Mark Dickinson <mdickinson@enthought.com> Sat Oct 06 18:04:49 2012 +0100
committer Mark Dickinson <mdickinson@enthought.com> Sat Oct 06 18:04:49 2012 +0100
tree 184849e76ebe965016c2737939f9eaa0dfb900ee
parent a2028733ef072740921017e544d29d191fdb2c9c

Issue #16096: Fix several occurrences of potential signed integer overflow.  Thanks Serhiy Storchaka.

Modules/arraymodule.c

diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c
index 04eb67c..3f5aa8b 100644
--- a/Modules/arraymodule.c
+++ b/Modules/arraymodule.c
@@ -483,11 +483,11 @@
         return NULL;
     }
 
-    nbytes = size * descr->itemsize;
     /* Check for overflow */
-    if (nbytes / descr->itemsize != (size_t)size) {
+    if (size > PY_SSIZE_T_MAX / descr->itemsize) {
         return PyErr_NoMemory();
     }
+    nbytes = size * descr->itemsize;
     op = (arrayobject *) type->tp_alloc(type, 0);
     if (op == NULL) {
         return NULL;
@@ -1251,11 +1251,15 @@
     if (!PyArg_ParseTuple(args, "On:fromfile", &f, &n))
         return NULL;
 
-    nbytes = n * itemsize;
-    if (nbytes < 0 || nbytes/itemsize != n) {
+    if (n < 0) {
+        PyErr_SetString(PyExc_ValueError, "negative count");
+        return NULL;
+    }
+    if (n > PY_SSIZE_T_MAX / itemsize) {
         PyErr_NoMemory();
         return NULL;
     }
+    nbytes = n * itemsize;
 
     b = _PyObject_CallMethodId(f, &PyId_read, "n", nbytes);
     if (b == NULL)