commit e7d8be80ba634fa15ece6f503c33592e0d333361
author Neal Norwitz <nnorwitz@gmail.com> Thu Jul 31 17:17:14 2008 +0000
committer Neal Norwitz <nnorwitz@gmail.com> Thu Jul 31 17:17:14 2008 +0000
tree 4264163ebdcea24504f3842330602d98301cf659
parent e70f8e1205b5fc60a30469db69bbee4d5d532d86

Security patches from Apple:  prevent int overflow when allocating memory

Objects/stringobject.c

diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index 793cc88..0d2ceb1 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -74,6 +74,11 @@
 		return (PyObject *)op;
 	}
 
+	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+		PyErr_SetString(PyExc_OverflowError, "string is too large");
+		return NULL;
+	}
+
 	/* Inline PyObject_NewVar */
 	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
 	if (op == NULL)
@@ -109,7 +114,7 @@
 
 	assert(str != NULL);
 	size = strlen(str);
-	if (size > PY_SSIZE_T_MAX) {
+	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
 		PyErr_SetString(PyExc_OverflowError,
 			"string is too long for a Python string");
 		return NULL;
@@ -977,13 +982,23 @@
 		return (PyObject *)a;
 	}
 	size = Py_SIZE(a) + Py_SIZE(b);
-	if (size < 0) {
+	/* Check that string sizes are not negative, to prevent an
+	   overflow in cases where we are passed incorrectly-created
+	   strings with negative lengths (due to a bug in other code).
+        */
+	if (Py_SIZE(a) < 0 || Py_SIZE(b) < 0 ||
+	    Py_SIZE(a) > PY_SSIZE_T_MAX - Py_SIZE(b)) {
 		PyErr_SetString(PyExc_OverflowError,
 				"strings are too large to concat");
 		return NULL;
 	}
 	  
 	/* Inline PyObject_NewVar */
+	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+		PyErr_SetString(PyExc_OverflowError,
+				"strings are too large to concat");
+		return NULL;
+	}
 	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
 	if (op == NULL)
 		return PyErr_NoMemory();