diff options
| author | Neal Norwitz <nnorwitz@gmail.com> | 2008-07-31 17:08:14 (GMT) |
|---|---|---|
| committer | Neal Norwitz <nnorwitz@gmail.com> | 2008-07-31 17:08:14 (GMT) |
| commit | 4f3be8a0a908784f4ab5fec66439643f2c1d79eb (patch) | |
| tree | 0d7f0d95099fd0b5e93e2f994a3fc0db6b682b29 /Modules | |
| parent | 83ac0144fa3041556aa4f3952ebd979e0189a19c (diff) | |
| download | cpython-4f3be8a0a908784f4ab5fec66439643f2c1d79eb.zip cpython-4f3be8a0a908784f4ab5fec66439643f2c1d79eb.tar.gz cpython-4f3be8a0a908784f4ab5fec66439643f2c1d79eb.tar.bz2 | |
Security patches from Apple: prevent int overflow when allocating memory
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/gcmodule.c | 7 | ||||
| -rw-r--r-- | Modules/mmapmodule.c | 2 | ||||
| -rw-r--r-- | Modules/stropmodule.c | 15 |
3 files changed, 22 insertions, 2 deletions
diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c index 6c5011c..a6513ae 100644 --- a/Modules/gcmodule.c +++ b/Modules/gcmodule.c @@ -1318,7 +1318,10 @@ PyObject * _PyObject_GC_Malloc(size_t basicsize) { PyObject *op; - PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC( + PyGC_Head *g; + if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) + return PyErr_NoMemory(); + g = (PyGC_Head *)PyObject_MALLOC( sizeof(PyGC_Head) + basicsize); if (g == NULL) return PyErr_NoMemory(); @@ -1361,6 +1364,8 @@ _PyObject_GC_Resize(PyVarObject *op, Py_ssize_t nitems) { const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems); PyGC_Head *g = AS_GC(op); + if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) + return (PyVarObject *)PyErr_NoMemory(); g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize); if (g == NULL) return (PyVarObject *)PyErr_NoMemory(); diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c index 3565ab6..74b81da 100644 --- a/Modules/mmapmodule.c +++ b/Modules/mmapmodule.c @@ -223,7 +223,7 @@ mmap_read_method(mmap_object *self, return(NULL); /* silently 'adjust' out-of-range requests */ - if ((self->pos + num_bytes) > self->size) { + if (num_bytes > self->size - self->pos) { num_bytes -= (self->pos+num_bytes) - self->size; } result = Py_BuildValue("s#", self->data+self->pos, num_bytes); diff --git a/Modules/stropmodule.c b/Modules/stropmodule.c index bc60959..2d88474 100644 --- a/Modules/stropmodule.c +++ b/Modules/stropmodule.c @@ -216,6 +216,13 @@ strop_joinfields(PyObject *self, PyObject *args) return NULL; } slen = PyString_GET_SIZE(item); + if (slen > PY_SSIZE_T_MAX - reslen || + seplen > PY_SSIZE_T_MAX - reslen - seplen) { + PyErr_SetString(PyExc_OverflowError, + "input too long"); + Py_DECREF(res); + return NULL; + } while (reslen + slen + seplen >= sz) { if (_PyString_Resize(&res, sz * 2) < 0) return NULL; @@ -253,6 +260,14 @@ strop_joinfields(PyObject *self, PyObject *args) return NULL; } slen = PyString_GET_SIZE(item); + if (slen > PY_SSIZE_T_MAX - reslen || + seplen > PY_SSIZE_T_MAX - reslen - seplen) { + PyErr_SetString(PyExc_OverflowError, + "input too long"); + Py_DECREF(res); + Py_XDECREF(item); + return NULL; + } while (reslen + slen + seplen >= sz) { if (_PyString_Resize(&res, sz * 2) < 0) { Py_DECREF(item); |