Merged revisions 64114 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/trunk ........ r64114 | gregory.p.smith | 2008-06-11 09:41:16 +0200 (mer., 11 juin 2008) | 6 lines Merge in release25-maint r60793: Added checks for integer overflows, contributed by Google. Some are only available if asserts are left in the code, in cases where they can't be triggered from Python code. ........
2025-08-04 17:08:35 +00:00 · 2008-06-18 00:47:36 +00:00 · 2008-06-18 00:47:36 +00:00 · 9c74b14fe9
commit 9c74b14fe9
parent 036aa5433e
16 changed files with 299 additions and 44 deletions
--- a/Modules/cjkcodecs/multibytecodec.c
+++ b/Modules/cjkcodecs/multibytecodec.c
@ -172,13 +172,17 @@ static PyGetSetDef codecctx_getsets[] = {
 static int
 expand_encodebuffer(MultibyteEncodeBuffer *buf, Py_ssize_t esize)
 {
-	Py_ssize_t orgpos, orgsize;
+	Py_ssize_t orgpos, orgsize, incsize;

 	orgpos = (Py_ssize_t)((char *)buf->outbuf -
 				PyBytes_AS_STRING(buf->outobj));
 	orgsize = PyBytes_GET_SIZE(buf->outobj);
-	if (_PyBytes_Resize(&buf->outobj, orgsize + (
-	    esize < (orgsize >> 1) ? (orgsize >> 1) | 1 : esize)) == -1)
+	incsize = (esize < (orgsize >> 1) ? (orgsize >> 1) | 1 : esize);
+
+	if (orgsize > PY_SSIZE_T_MAX - incsize)
+		return -1;
+
+	if (_PyBytes_Resize(&buf->outobj, orgsize + incsize) == -1)
 		return -1;

 	buf->outbuf = (unsigned char *)PyBytes_AS_STRING(buf->outobj) +orgpos;
@ -481,6 +485,12 @@ multibytecodec_encode(MultibyteCodec *codec,
 	buf.excobj = NULL;
 	buf.inbuf = buf.inbuf_top = *data;
 	buf.inbuf_end = buf.inbuf_top + datalen;
+
+	if (datalen > (PY_SSIZE_T_MAX - 16) / 2) {
+		PyErr_NoMemory();
+		goto errorexit;
+	}
+
 	buf.outobj = PyBytes_FromStringAndSize(NULL, datalen * 2 + 16);
 	if (buf.outobj == NULL)
 		goto errorexit;
@ -743,6 +753,11 @@ encoder_encode_stateful(MultibyteStatefulEncoderContext *ctx,
 	origpending = ctx->pendingsize;

 	if (origpending > 0) {
+		if (datalen > PY_SSIZE_T_MAX - ctx->pendingsize) {
+			PyErr_NoMemory();
+			/* inbuf_tmp == NULL */
+			goto errorexit;
+		}
 		inbuf_tmp = PyMem_New(Py_UNICODE, datalen + ctx->pendingsize);
 		if (inbuf_tmp == NULL)
 			goto errorexit;
@ -805,9 +820,10 @@ decoder_append_pending(MultibyteStatefulDecoderContext *ctx,
 	Py_ssize_t npendings;

 	npendings = (Py_ssize_t)(buf->inbuf_end - buf->inbuf);
-	if (npendings + ctx->pendingsize > MAXDECPENDING) {
-		PyErr_SetString(PyExc_UnicodeError, "pending buffer overflow");
-		return -1;
+	if (npendings + ctx->pendingsize > MAXDECPENDING ||
+		npendings > PY_SSIZE_T_MAX - ctx->pendingsize) {
+			PyErr_SetString(PyExc_UnicodeError, "pending buffer overflow");
+			return -1;
 	}
 	memcpy(ctx->pending + ctx->pendingsize, buf->inbuf, npendings);
 	ctx->pendingsize += npendings;
@ -1009,7 +1025,7 @@ mbidecoder_decode(MultibyteIncrementalDecoderObject *self,
 		  PyObject *args, PyObject *kwargs)
 {
 	MultibyteDecodeBuffer buf;
-	char *data, *wdata;
+	char *data, *wdata = NULL;
 	Py_ssize_t wsize, finalsize = 0, size, origpending;
 	int final = 0;

@ -1025,6 +1041,10 @@ mbidecoder_decode(MultibyteIncrementalDecoderObject *self,
 		wdata = data;
 	}
 	else {
+		if (size > PY_SSIZE_T_MAX - self->pendingsize) {
+			PyErr_NoMemory();
+			goto errorexit;
+		}
 		wsize = size + self->pendingsize;
 		wdata = PyMem_Malloc(wsize);
 		if (wdata == NULL)
@ -1244,6 +1264,10 @@ mbstreamreader_iread(MultibyteStreamReaderObject *self,
 			PyObject *ctr;
 			char *ctrdata;

+			if (PyBytes_GET_SIZE(cres) > PY_SSIZE_T_MAX - self->pendingsize) {
+				PyErr_NoMemory();
+				goto errorexit;
+            }
 			rsize = PyBytes_GET_SIZE(cres) + self->pendingsize;
 			ctr = PyBytes_FromStringAndSize(NULL, rsize);
 			if (ctr == NULL)