Security patches from Apple: prevent int overflow when allocating memory
diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c
index b8f9c31..6f12972 100644
--- a/Modules/gcmodule.c
+++ b/Modules/gcmodule.c
@@ -1342,7 +1342,10 @@
_PyObject_GC_Malloc(size_t basicsize)
{
PyObject *op;
- PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC(
+ PyGC_Head *g;
+ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
+ return PyErr_NoMemory();
+ g = (PyGC_Head *)PyObject_MALLOC(
sizeof(PyGC_Head) + basicsize);
if (g == NULL)
return PyErr_NoMemory();
@@ -1385,6 +1388,8 @@
{
const size_t basicsize = _PyObject_VAR_SIZE(Py_TYPE(op), nitems);
PyGC_Head *g = AS_GC(op);
+ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
+ return (PyVarObject *)PyErr_NoMemory();
g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize);
if (g == NULL)
return (PyVarObject *)PyErr_NoMemory();