PyNode_AddChild() and fancy_roundup(): Be paranoid about int overflow.
diff --git a/Parser/node.c b/Parser/node.c
index cccfa82..9ed34b8 100644
--- a/Parser/node.c
+++ b/Parser/node.c
@@ -18,15 +18,18 @@
return n;
}
-/* See comments at XXXROUNDUP below. */
+/* See comments at XXXROUNDUP below. Returns -1 on overflow. */
static int
fancy_roundup(int n)
{
/* Round up to the closest power of 2 >= n. */
int result = 256;
assert(n > 128);
- while (result < n)
+ while (result < n) {
result <<= 1;
+ if (result <= 0)
+ return -1;
+ }
return result;
}
@@ -62,6 +65,8 @@
current_capacity = XXXROUNDUP(nch);
required_capacity = XXXROUNDUP(nch + 1);
+ if (current_capacity < 0 || required_capacity < 0)
+ return E_OVERFLOW;
if (current_capacity < required_capacity) {
n = n1->n_child;
PyMem_RESIZE(n, node, required_capacity);