summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuido van Rossum <guido@python.org>1999-02-23 18:05:22 (GMT)
committerGuido van Rossum <guido@python.org>1999-02-23 18:05:22 (GMT)
commit3791b0de365237b3bdddcc050858a83b8fd97f99 (patch)
treee807ff3bc40fa12caebef7eec5cc7aac8f49eae8
parent24f8579ee4f01d1c22eaf26211a690e8b0d53251 (diff)
downloadcpython-3791b0de365237b3bdddcc050858a83b8fd97f99.zip
cpython-3791b0de365237b3bdddcc050858a83b8fd97f99.tar.gz
cpython-3791b0de365237b3bdddcc050858a83b8fd97f99.tar.bz2
Carefully check for overflow when allocating the memory for fromfile
-- someone tried to pass in sys.maxint and got bitten by the bogus calculations.
-rw-r--r--Modules/arraymodule.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c
index 656f5a6..bb0a9ed 100644
--- a/Modules/arraymodule.c
+++ b/Modules/arraymodule.c
@@ -935,8 +935,15 @@ array_fromfile(self, args)
char *item = self->ob_item;
int itemsize = self->ob_descr->itemsize;
int nread;
- PyMem_RESIZE(item, char, (self->ob_size + n) * itemsize);
+ int newlength;
+ size_t newbytes;
+ /* Be careful here about overflow */
+ if ((newlength = self->ob_size + n) <= 0 ||
+ (newbytes = newlength * itemsize) / itemsize != newlength)
+ goto nomem;
+ PyMem_RESIZE(item, char, newbytes);
if (item == NULL) {
+ nomem:
PyErr_NoMemory();
return NULL;
}