diff options
| author | Thomas Heller <theller@ctypes.org> | 2007-03-23 19:56:45 +0000 |
|---|---|---|
| committer | Thomas Heller <theller@ctypes.org> | 2007-03-23 19:56:45 +0000 |
| commit | b151f721a95637b3d29a188d7064e1375bd8e7eb (patch) | |
| tree | dd739f9a2d5ab1c6c6ffc029da0ad50fc14028d2 | |
| parent | a8ddae61496de68b3c70d8dab364a204f53c153b (diff) | |
| download | cpython-git-b151f721a95637b3d29a188d7064e1375bd8e7eb.tar.gz | |
Prevent creation (followed by a segfault) of array types when the size
overflows the valid Py_ssize_t range. Check return values of
PyMem_Malloc.
Backported from trunk.
| -rw-r--r-- | Modules/_ctypes/_ctypes.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/Modules/_ctypes/_ctypes.c b/Modules/_ctypes/_ctypes.c index 941da0b56d..4dd35c233f 100644 --- a/Modules/_ctypes/_ctypes.c +++ b/Modules/_ctypes/_ctypes.c @@ -1002,6 +1002,12 @@ ArrayType_new(PyTypeObject *type, PyObject *args, PyObject *kwds) } itemsize = itemdict->size; + if (length * itemsize < 0) { + PyErr_SetString(PyExc_OverflowError, + "array too large"); + return NULL; + } + itemalign = itemdict->align; stgdict->size = itemsize * length; @@ -2176,7 +2182,7 @@ PyTypeObject CData_Type = { 0, /* tp_free */ }; -static void CData_MallocBuffer(CDataObject *obj, StgDictObject *dict) +static int CData_MallocBuffer(CDataObject *obj, StgDictObject *dict) { if ((size_t)dict->size <= sizeof(obj->b_value)) { /* No need to call malloc, can use the default buffer */ @@ -2193,10 +2199,15 @@ static void CData_MallocBuffer(CDataObject *obj, StgDictObject *dict) 33% of the creation time for c_int(). */ obj->b_ptr = (char *)PyMem_Malloc(dict->size); + if (obj->b_ptr == NULL) { + PyErr_NoMemory(); + return -1; + } obj->b_needsfree = 1; memset(obj->b_ptr, 0, dict->size); } obj->b_size = dict->size; + return 0; } PyObject * @@ -2228,7 +2239,10 @@ CData_FromBaseObj(PyObject *type, PyObject *base, Py_ssize_t index, char *adr) cmem->b_base = (CDataObject *)base; cmem->b_index = index; } else { /* copy contents of adr */ - CData_MallocBuffer(cmem, dict); + if (-1 == CData_MallocBuffer(cmem, dict)) { + return NULL; + Py_DECREF(cmem); + } memcpy(cmem->b_ptr, adr, dict->size); cmem->b_index = index; } @@ -2441,7 +2455,10 @@ GenericCData_new(PyTypeObject *type, PyObject *args, PyObject *kwds) obj->b_objects = NULL; obj->b_length = dict->length; - CData_MallocBuffer(obj, dict); + if (-1 == CData_MallocBuffer(obj, dict)) { + Py_DECREF(obj); + return NULL; + } return (PyObject *)obj; } /*****************************************************************/ |