summaryrefslogtreecommitdiffstats
path: root/Objects
diff options
context:
space:
mode:
authorGeorg Brandl <georg@python.org>2008-07-23 16:13:07 (GMT)
committerGeorg Brandl <georg@python.org>2008-07-23 16:13:07 (GMT)
commitd492ad80c872d264ed46bec71e31a00f174ac819 (patch)
treedae53e48f72c579307f3d4cae26244143c2f9138 /Objects
parentc1c54c1b04f469bedf820ff14e083da63b77aaaa (diff)
downloadcpython-d492ad80c872d264ed46bec71e31a00f174ac819.zip
cpython-d492ad80c872d264ed46bec71e31a00f174ac819.tar.gz
cpython-d492ad80c872d264ed46bec71e31a00f174ac819.tar.bz2
Merged revisions 65182 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk ........ r65182 | gregory.p.smith | 2008-07-22 06:46:32 +0200 (Tue, 22 Jul 2008) | 7 lines Issue #2620: Overflow checking when allocating or reallocating memory was not always being done properly in some python types and extension modules. PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have all been updated to perform better checks and places in the code that would previously leak memory on the error path when such an allocation failed have been fixed. ........
Diffstat (limited to 'Objects')
-rw-r--r--Objects/obmalloc.c18
1 files changed, 18 insertions, 0 deletions
diff --git a/Objects/obmalloc.c b/Objects/obmalloc.c
index efbd566..da8f9c2 100644
--- a/Objects/obmalloc.c
+++ b/Objects/obmalloc.c
@@ -727,6 +727,15 @@ PyObject_Malloc(size_t nbytes)
uint size;
/*
+ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > PY_SSIZE_T_MAX)
+ return NULL;
+
+ /*
* This implicitly redirects malloc(0).
*/
if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
@@ -1130,6 +1139,15 @@ PyObject_Realloc(void *p, size_t nbytes)
if (p == NULL)
return PyObject_Malloc(nbytes);
+ /*
+ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > PY_SSIZE_T_MAX)
+ return NULL;
+
pool = POOL_ADDR(p);
if (Py_ADDRESS_IN_RANGE(p, pool)) {
/* We're in charge of this block */