commit e7d8be80ba634fa15ece6f503c33592e0d333361
author Neal Norwitz <nnorwitz@gmail.com> Thu Jul 31 17:17:14 2008 +0000
committer Neal Norwitz <nnorwitz@gmail.com> Thu Jul 31 17:17:14 2008 +0000
tree 4264163ebdcea24504f3842330602d98301cf659
parent e70f8e1205b5fc60a30469db69bbee4d5d532d86

Security patches from Apple:  prevent int overflow when allocating memory

Modules/stropmodule.c

diff --git a/Modules/stropmodule.c b/Modules/stropmodule.c
index bc60959..2d88474 100644
--- a/Modules/stropmodule.c
+++ b/Modules/stropmodule.c
@@ -216,6 +216,13 @@
 				return NULL;
 			}
 			slen = PyString_GET_SIZE(item);
+			if (slen > PY_SSIZE_T_MAX - reslen ||
+			    seplen > PY_SSIZE_T_MAX - reslen - seplen) {
+				PyErr_SetString(PyExc_OverflowError,
+						"input too long");
+				Py_DECREF(res);
+				return NULL;
+			}
 			while (reslen + slen + seplen >= sz) {
 				if (_PyString_Resize(&res, sz * 2) < 0)
 					return NULL;
@@ -253,6 +260,14 @@
 			return NULL;
 		}
 		slen = PyString_GET_SIZE(item);
+		if (slen > PY_SSIZE_T_MAX - reslen ||
+		    seplen > PY_SSIZE_T_MAX - reslen - seplen) {
+			PyErr_SetString(PyExc_OverflowError,
+					"input too long");
+			Py_DECREF(res);
+			Py_XDECREF(item);
+			return NULL;
+		}
 		while (reslen + slen + seplen >= sz) {
 			if (_PyString_Resize(&res, sz * 2) < 0) {
 				Py_DECREF(item);