Merge in release25-maint r60793:

Added checks for integer overflows, contributed by Google. Some are only available if asserts are left in the code, in cases where they can't be triggered from Python code.
author: Gregory P. Smith <greg@mad-scientist.com> 2008-06-11 07:41:16 +0000
committer: Gregory P. Smith <greg@mad-scientist.com> 2008-06-11 07:41:16 +0000
commit: 9d53457e599623fbad90833c3448835b42d7e7f9 (patch)
tree: 41d37b556618eb8e831463c576d854063a33d77b /Objects/bufferobject.c
parent: 73baefd7fc86a7f8336e4142efcec74c201acf8f (diff)
download: cpython-git-9d53457e599623fbad90833c3448835b42d7e7f9.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c
index 37d9bcbb5a..3bd8c6be3e 100644
--- a/Objects/bufferobject.c
+++ b/Objects/bufferobject.c
@@ -207,7 +207,10 @@ PyBuffer_New(Py_ssize_t size)
 				"size must be zero or positive");
 		return NULL;
 	}
-	/* XXX: check for overflow in multiply */
+	if (sizeof(*b) > PY_SSIZE_T_MAX - size) {
+		/* unlikely */
+		return PyErr_NoMemory();
+	}
 	/* Inline PyObject_New */
 	o = (PyObject *)PyObject_MALLOC(sizeof(*b) + size);
 	if ( o == NULL )
@@ -401,6 +404,8 @@ buffer_concat(PyBufferObject *self, PyObject *other)
 	if ( (count = (*pb->bf_getreadbuffer)(other, 0, &ptr2)) < 0 )
 		return NULL;
 
+	assert(count <= PY_SIZE_MAX - size);
+
  	ob = PyString_FromStringAndSize(NULL, size + count);
 	if ( ob == NULL )
 		return NULL;
author	Gregory P. Smith <greg@mad-scientist.com>	2008-06-11 07:41:16 +0000
committer	Gregory P. Smith <greg@mad-scientist.com>	2008-06-11 07:41:16 +0000
commit	9d53457e599623fbad90833c3448835b42d7e7f9 (patch)
tree	41d37b556618eb8e831463c576d854063a33d77b /Objects/bufferobject.c
parent	73baefd7fc86a7f8336e4142efcec74c201acf8f (diff)
download	cpython-git-9d53457e599623fbad90833c3448835b42d7e7f9.tar.gz