Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / e7d8be80ba634fa15ece6f503c33592e0d333361^! / . / Modules
commite7d8be80ba634fa15ece6f503c33592e0d333361[log] [tgz]
authorNeal Norwitz <nnorwitz@gmail.com>Thu Jul 31 17:17:14 2008 +0000
committerNeal Norwitz <nnorwitz@gmail.com>Thu Jul 31 17:17:14 2008 +0000
tree4264163ebdcea24504f3842330602d98301cf659
parente70f8e1205b5fc60a30469db69bbee4d5d532d86 [diff]
Security patches from Apple:  prevent int overflow when allocating memory

diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c
index b8f9c31..6f12972 100644
--- a/Modules/gcmodule.c
+++ b/Modules/gcmodule.c

@@ -1342,7 +1342,10 @@
 _PyObject_GC_Malloc(size_t basicsize)
 {
 	PyObject *op;
-	PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC(
+	PyGC_Head *g;
+	if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
+		return PyErr_NoMemory();
+	g = (PyGC_Head *)PyObject_MALLOC(
                 sizeof(PyGC_Head) + basicsize);
 	if (g == NULL)
 		return PyErr_NoMemory();
@@ -1385,6 +1388,8 @@
 {
 	const size_t basicsize = _PyObject_VAR_SIZE(Py_TYPE(op), nitems);
 	PyGC_Head *g = AS_GC(op);
+	if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
+		return (PyVarObject *)PyErr_NoMemory();
 	g = (PyGC_Head *)PyObject_REALLOC(g,  sizeof(PyGC_Head) + basicsize);
 	if (g == NULL)
 		return (PyVarObject *)PyErr_NoMemory();

diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c
index c71d840..08b5a96 100644
--- a/Modules/mmapmodule.c
+++ b/Modules/mmapmodule.c

@@ -239,7 +239,7 @@
 		return(NULL);
 
 	/* silently 'adjust' out-of-range requests */
-	if ((self->pos + num_bytes) > self->size) {
+	if (num_bytes > self->size - self->pos) {
 		num_bytes -= (self->pos+num_bytes) - self->size;
 	}
 	result = Py_BuildValue("s#", self->data+self->pos, num_bytes);

diff --git a/Modules/stropmodule.c b/Modules/stropmodule.c
index bc60959..2d88474 100644
--- a/Modules/stropmodule.c
+++ b/Modules/stropmodule.c

@@ -216,6 +216,13 @@
 				return NULL;
 			}
 			slen = PyString_GET_SIZE(item);
+			if (slen > PY_SSIZE_T_MAX - reslen ||
+			    seplen > PY_SSIZE_T_MAX - reslen - seplen) {
+				PyErr_SetString(PyExc_OverflowError,
+						"input too long");
+				Py_DECREF(res);
+				return NULL;
+			}
 			while (reslen + slen + seplen >= sz) {
 				if (_PyString_Resize(&res, sz * 2) < 0)
 					return NULL;
@@ -253,6 +260,14 @@
 			return NULL;
 		}
 		slen = PyString_GET_SIZE(item);
+		if (slen > PY_SSIZE_T_MAX - reslen ||
+		    seplen > PY_SSIZE_T_MAX - reslen - seplen) {
+			PyErr_SetString(PyExc_OverflowError,
+					"input too long");
+			Py_DECREF(res);
+			Py_XDECREF(item);
+			return NULL;
+		}
 		while (reslen + slen + seplen >= sz) {
 			if (_PyString_Resize(&res, sz * 2) < 0) {
 				Py_DECREF(item);