Security patches from Apple: prevent int overflow when allocating memory

commit: e7d8be80ba634fa15ece6f503c33592e0d333361 [log] [tgz]
author: Neal Norwitz <nnorwitz@gmail.com> Thu Jul 31 17:17:14 2008 +0000
committer: Neal Norwitz <nnorwitz@gmail.com> Thu Jul 31 17:17:14 2008 +0000
tree: 4264163ebdcea24504f3842330602d98301cf659
parent: e70f8e1205b5fc60a30469db69bbee4d5d532d86 [diff] [blame]
diff --git a/Objects/tupleobject.c b/Objects/tupleobject.c
index 79d7553..348ae8c 100644
--- a/Objects/tupleobject.c
+++ b/Objects/tupleobject.c

@@ -60,11 +60,12 @@
 		Py_ssize_t nbytes = size * sizeof(PyObject *);
 		/* Check for overflow */
 		if (nbytes / sizeof(PyObject *) != (size_t)size ||
-		    (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
-		    <= 0)
+		    (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) - sizeof(PyObject *)))
 		{
 			return PyErr_NoMemory();
 		}
+		nbytes += sizeof(PyTupleObject) - sizeof(PyObject *);
+
 		op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
 		if (op == NULL)
 			return NULL;
commit	e7d8be80ba634fa15ece6f503c33592e0d333361	[log] [tgz]
author	Neal Norwitz <nnorwitz@gmail.com>	Thu Jul 31 17:17:14 2008 +0000
committer	Neal Norwitz <nnorwitz@gmail.com>	Thu Jul 31 17:17:14 2008 +0000
tree	4264163ebdcea24504f3842330602d98301cf659
parent	e70f8e1205b5fc60a30469db69bbee4d5d532d86 [diff] [blame]