diff options
| author | Gregory P. Smith <greg@mad-scientist.com> | 2008-07-22 04:46:32 (GMT) |
|---|---|---|
| committer | Gregory P. Smith <greg@mad-scientist.com> | 2008-07-22 04:46:32 (GMT) |
| commit | 0470bab69783c13447cb634fa403ef1067fe56d1 (patch) | |
| tree | 8930faf64b2224f282512ff18a41bb0b338beded /Modules | |
| parent | f5574a0c290aac0ec581415fdd343641c00d5d42 (diff) | |
| download | cpython-0470bab69783c13447cb634fa403ef1067fe56d1.zip cpython-0470bab69783c13447cb634fa403ef1067fe56d1.tar.gz cpython-0470bab69783c13447cb634fa403ef1067fe56d1.tar.bz2 | |
Issue #2620: Overflow checking when allocating or reallocating memory
was not always being done properly in some python types and extension
modules. PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
all been updated to perform better checks and places in the code that
would previously leak memory on the error path when such an allocation
failed have been fixed.
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/almodule.c | 2 | ||||
| -rw-r--r-- | Modules/arraymodule.c | 5 | ||||
| -rw-r--r-- | Modules/selectmodule.c | 4 |
3 files changed, 9 insertions, 2 deletions
diff --git a/Modules/almodule.c b/Modules/almodule.c index 7f48fff..93f26bd 100644 --- a/Modules/almodule.c +++ b/Modules/almodule.c @@ -1633,9 +1633,11 @@ al_QueryValues(PyObject *self, PyObject *args) if (nvals < 0) goto cleanup; if (nvals > setsize) { + ALvalue *old_return_set = return_set; setsize = nvals; PyMem_RESIZE(return_set, ALvalue, setsize); if (return_set == NULL) { + return_set = old_return_set; PyErr_NoMemory(); goto cleanup; } diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c index 99d25d3..bcd82aa 100644 --- a/Modules/arraymodule.c +++ b/Modules/arraymodule.c @@ -815,6 +815,7 @@ static int array_do_extend(arrayobject *self, PyObject *bb) { Py_ssize_t size; + char *old_item; if (!array_Check(bb)) return array_iter_extend(self, bb); @@ -830,8 +831,10 @@ array_do_extend(arrayobject *self, PyObject *bb) return -1; } size = Py_SIZE(self) + Py_SIZE(b); + old_item = self->ob_item; PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize); if (self->ob_item == NULL) { + self->ob_item = old_item; PyErr_NoMemory(); return -1; } @@ -884,7 +887,7 @@ array_inplace_repeat(arrayobject *self, Py_ssize_t n) if (size > PY_SSIZE_T_MAX / n) { return PyErr_NoMemory(); } - PyMem_Resize(items, char, n * size); + PyMem_RESIZE(items, char, n * size); if (items == NULL) return PyErr_NoMemory(); p = items; diff --git a/Modules/selectmodule.c b/Modules/selectmodule.c index 83a6538..86ee3cc 100644 --- a/Modules/selectmodule.c +++ b/Modules/selectmodule.c @@ -349,10 +349,12 @@ update_ufd_array(pollObject *self) { Py_ssize_t i, pos; PyObject *key, *value; + struct pollfd *old_ufds = self->ufds; self->ufd_len = PyDict_Size(self->dict); - PyMem_Resize(self->ufds, struct pollfd, self->ufd_len); + PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len); if (self->ufds == NULL) { + self->ufds = old_ufds; PyErr_NoMemory(); return 0; } |