mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-15 05:06:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 12

Security patches from Apple: prevent int overflow when allocating memory

Browse source
This commit is contained in:
Neal Norwitz 2008-07-31 17:17:14 +00:00
parent e70f8e1205
commit e7d8be80ba
13 changed files with 258 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

19
Objects/stringobject.c
View file

@ -74,6 +74,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t size)
return (PyObject *)op;
}
if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
PyErr_SetString(PyExc_OverflowError, "string is too large");
return NULL;
}
/* Inline PyObject_NewVar */
op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
if (op == NULL)
@ -109,7 +114,7 @@ PyString_FromString(const char *str)
assert(str != NULL);
size = strlen(str);
if (size > PY_SSIZE_T_MAX) {
if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
PyErr_SetString(PyExc_OverflowError,
"string is too long for a Python string");
return NULL;
@ -977,13 +982,23 @@ string_concat(register PyStringObject *a, register PyObject *bb)
return (PyObject *)a;
}
size = Py_SIZE(a) + Py_SIZE(b);
if (size < 0) {
/* Check that string sizes are not negative, to prevent an
overflow in cases where we are passed incorrectly-created
strings with negative lengths (due to a bug in other code).
*/
if (Py_SIZE(a) < 0 || Py_SIZE(b) < 0 ||
Py_SIZE(a) > PY_SSIZE_T_MAX - Py_SIZE(b)) {
PyErr_SetString(PyExc_OverflowError,
"strings are too large to concat");
return NULL;
}
/* Inline PyObject_NewVar */
if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
PyErr_SetString(PyExc_OverflowError,
"strings are too large to concat");
return NULL;
}
op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
if (op == NULL)
return PyErr_NoMemory();