diff options
| author | Neal Norwitz <nnorwitz@gmail.com> | 2008-07-31 17:17:14 (GMT) |
|---|---|---|
| committer | Neal Norwitz <nnorwitz@gmail.com> | 2008-07-31 17:17:14 (GMT) |
| commit | e7d8be80ba634fa15ece6f503c33592e0d333361 (patch) | |
| tree | 4264163ebdcea24504f3842330602d98301cf659 /Modules/gcmodule.c | |
| parent | e70f8e1205b5fc60a30469db69bbee4d5d532d86 (diff) | |
| download | cpython-e7d8be80ba634fa15ece6f503c33592e0d333361.zip cpython-e7d8be80ba634fa15ece6f503c33592e0d333361.tar.gz cpython-e7d8be80ba634fa15ece6f503c33592e0d333361.tar.bz2 | |
Security patches from Apple: prevent int overflow when allocating memory
Diffstat (limited to 'Modules/gcmodule.c')
| -rw-r--r-- | Modules/gcmodule.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c index b8f9c31..6f12972 100644 --- a/Modules/gcmodule.c +++ b/Modules/gcmodule.c @@ -1342,7 +1342,10 @@ PyObject * _PyObject_GC_Malloc(size_t basicsize) { PyObject *op; - PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC( + PyGC_Head *g; + if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) + return PyErr_NoMemory(); + g = (PyGC_Head *)PyObject_MALLOC( sizeof(PyGC_Head) + basicsize); if (g == NULL) return PyErr_NoMemory(); @@ -1385,6 +1388,8 @@ _PyObject_GC_Resize(PyVarObject *op, Py_ssize_t nitems) { const size_t basicsize = _PyObject_VAR_SIZE(Py_TYPE(op), nitems); PyGC_Head *g = AS_GC(op); + if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) + return (PyVarObject *)PyErr_NoMemory(); g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize); if (g == NULL) return (PyVarObject *)PyErr_NoMemory(); |