diff options
| author | Thomas Heller <theller@ctypes.org> | 2007-03-23 19:55:27 (GMT) |
|---|---|---|
| committer | Thomas Heller <theller@ctypes.org> | 2007-03-23 19:55:27 (GMT) |
| commit | e6a70394518340fc595ff67fcfbf8e4c3ffbfd48 (patch) | |
| tree | 0eeefc0f21f570127163e3ed294cd716a50a8e3d /Modules | |
| parent | 234b1ff24fb60f5002a4a0d68e0f29d493de0863 (diff) | |
| download | cpython-e6a70394518340fc595ff67fcfbf8e4c3ffbfd48.zip cpython-e6a70394518340fc595ff67fcfbf8e4c3ffbfd48.tar.gz cpython-e6a70394518340fc595ff67fcfbf8e4c3ffbfd48.tar.bz2 | |
Prevent creation (followed by a segfault) of array types when the size
overflows the valid Py_ssize_t range. Check return values of
PyMem_Malloc.
Will backport to release25-maint.
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/_ctypes/_ctypes.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/Modules/_ctypes/_ctypes.c b/Modules/_ctypes/_ctypes.c index cfff1a9..80a0891 100644 --- a/Modules/_ctypes/_ctypes.c +++ b/Modules/_ctypes/_ctypes.c @@ -1002,6 +1002,12 @@ ArrayType_new(PyTypeObject *type, PyObject *args, PyObject *kwds) } itemsize = itemdict->size; + if (length * itemsize < 0) { + PyErr_SetString(PyExc_OverflowError, + "array too large"); + return NULL; + } + itemalign = itemdict->align; stgdict->size = itemsize * length; @@ -2176,7 +2182,7 @@ PyTypeObject CData_Type = { 0, /* tp_free */ }; -static void CData_MallocBuffer(CDataObject *obj, StgDictObject *dict) +static int CData_MallocBuffer(CDataObject *obj, StgDictObject *dict) { if ((size_t)dict->size <= sizeof(obj->b_value)) { /* No need to call malloc, can use the default buffer */ @@ -2193,10 +2199,15 @@ static void CData_MallocBuffer(CDataObject *obj, StgDictObject *dict) 33% of the creation time for c_int(). */ obj->b_ptr = (char *)PyMem_Malloc(dict->size); + if (obj->b_ptr == NULL) { + PyErr_NoMemory(); + return -1; + } obj->b_needsfree = 1; memset(obj->b_ptr, 0, dict->size); } obj->b_size = dict->size; + return 0; } PyObject * @@ -2228,7 +2239,10 @@ CData_FromBaseObj(PyObject *type, PyObject *base, Py_ssize_t index, char *adr) cmem->b_base = (CDataObject *)base; cmem->b_index = index; } else { /* copy contents of adr */ - CData_MallocBuffer(cmem, dict); + if (-1 == CData_MallocBuffer(cmem, dict)) { + return NULL; + Py_DECREF(cmem); + } memcpy(cmem->b_ptr, adr, dict->size); cmem->b_index = index; } @@ -2441,7 +2455,10 @@ GenericCData_new(PyTypeObject *type, PyObject *args, PyObject *kwds) obj->b_objects = NULL; obj->b_length = dict->length; - CData_MallocBuffer(obj, dict); + if (-1 == CData_MallocBuffer(obj, dict)) { + Py_DECREF(obj); + return NULL; + } return (PyObject *)obj; } /*****************************************************************/ |