mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 10:19:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Security patches from Apple: prevent int overflow when allocating memory

Browse source
This commit is contained in:
Neal Norwitz 2008-07-31 17:17:14 +00:00
parent e70f8e1205
commit e7d8be80ba
13 changed files with 258 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Modules/gcmodule.c
View file

@ -1342,7 +1342,10 @@ PyObject *
_PyObject_GC_Malloc(size_t basicsize)
{
PyObject *op;
PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC(
PyGC_Head *g;
if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
return PyErr_NoMemory();
g = (PyGC_Head *)PyObject_MALLOC(
sizeof(PyGC_Head) + basicsize);
if (g == NULL)
return PyErr_NoMemory();
@ -1385,6 +1388,8 @@ _PyObject_GC_Resize(PyVarObject *op, Py_ssize_t nitems)
{
const size_t basicsize = _PyObject_VAR_SIZE(Py_TYPE(op), nitems);
PyGC_Head *g = AS_GC(op);
if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
return (PyVarObject *)PyErr_NoMemory();
g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize);
if (g == NULL)
return (PyVarObject *)PyErr_NoMemory();

2
Modules/mmapmodule.c
View file

@ -239,7 +239,7 @@ mmap_read_method(mmap_object *self,
return(NULL);
/* silently 'adjust' out-of-range requests */
if ((self->pos + num_bytes) > self->size) {
if (num_bytes > self->size - self->pos) {
num_bytes -= (self->pos+num_bytes) - self->size;
}
result = Py_BuildValue("s#", self->data+self->pos, num_bytes);

15
Modules/stropmodule.c
View file

@ -216,6 +216,13 @@ strop_joinfields(PyObject *self, PyObject *args)
return NULL;
}
slen = PyString_GET_SIZE(item);
if (slen > PY_SSIZE_T_MAX - reslen ||
seplen > PY_SSIZE_T_MAX - reslen - seplen) {
PyErr_SetString(PyExc_OverflowError,
"input too long");
Py_DECREF(res);
return NULL;
}
while (reslen + slen + seplen >= sz) {
if (_PyString_Resize(&res, sz * 2) < 0)
return NULL;
@ -253,6 +260,14 @@ strop_joinfields(PyObject *self, PyObject *args)
return NULL;
}
slen = PyString_GET_SIZE(item);
if (slen > PY_SSIZE_T_MAX - reslen ||
seplen > PY_SSIZE_T_MAX - reslen - seplen) {
PyErr_SetString(PyExc_OverflowError,
"input too long");
Py_DECREF(res);
Py_XDECREF(item);
return NULL;
}
while (reslen + slen + seplen >= sz) {
if (_PyString_Resize(&res, sz * 2) < 0) {
Py_DECREF(item);