commit e7d8be80ba634fa15ece6f503c33592e0d333361
author Neal Norwitz <nnorwitz@gmail.com> Thu Jul 31 17:17:14 2008 +0000
committer Neal Norwitz <nnorwitz@gmail.com> Thu Jul 31 17:17:14 2008 +0000
tree 4264163ebdcea24504f3842330602d98301cf659
parent e70f8e1205b5fc60a30469db69bbee4d5d532d86

Security patches from Apple:  prevent int overflow when allocating memory

Objects/bufferobject.c

diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c
index 3bd8c6b..9a5c39f 100644
--- a/Objects/bufferobject.c
+++ b/Objects/bufferobject.c
@@ -431,6 +431,10 @@
 		count = 0;
 	if (!get_buf(self, &ptr, &size, ANY_BUFFER))
 		return NULL;
+	if (count > PY_SSIZE_T_MAX / size) {
+		PyErr_SetString(PyExc_MemoryError, "result too large");
+		return NULL;
+	}
 	ob = PyString_FromStringAndSize(NULL, size * count);
 	if ( ob == NULL )
 		return NULL;