diff options
| author | Guido van Rossum <guido@python.org> | 1999-02-23 18:05:22 (GMT) |
|---|---|---|
| committer | Guido van Rossum <guido@python.org> | 1999-02-23 18:05:22 (GMT) |
| commit | 3791b0de365237b3bdddcc050858a83b8fd97f99 (patch) | |
| tree | e807ff3bc40fa12caebef7eec5cc7aac8f49eae8 /Modules/arraymodule.c | |
| parent | 24f8579ee4f01d1c22eaf26211a690e8b0d53251 (diff) | |
| download | cpython-3791b0de365237b3bdddcc050858a83b8fd97f99.zip cpython-3791b0de365237b3bdddcc050858a83b8fd97f99.tar.gz cpython-3791b0de365237b3bdddcc050858a83b8fd97f99.tar.bz2 | |
Carefully check for overflow when allocating the memory for fromfile
-- someone tried to pass in sys.maxint and got bitten by the bogus
calculations.
Diffstat (limited to 'Modules/arraymodule.c')
| -rw-r--r-- | Modules/arraymodule.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c index 656f5a6..bb0a9ed 100644 --- a/Modules/arraymodule.c +++ b/Modules/arraymodule.c @@ -935,8 +935,15 @@ array_fromfile(self, args) char *item = self->ob_item; int itemsize = self->ob_descr->itemsize; int nread; - PyMem_RESIZE(item, char, (self->ob_size + n) * itemsize); + int newlength; + size_t newbytes; + /* Be careful here about overflow */ + if ((newlength = self->ob_size + n) <= 0 || + (newbytes = newlength * itemsize) / itemsize != newlength) + goto nomem; + PyMem_RESIZE(item, char, newbytes); if (item == NULL) { + nomem: PyErr_NoMemory(); return NULL; } |