From c04ddff290fc203d05b75c8569b748525fb76b5b Mon Sep 17 00:00:00 2001
From: Mark Dickinson <mdickinson@enthought.com>
Date: Sat, 6 Oct 2012 18:04:49 +0100
Subject: Issue #16096: Fix several occurrences of potential signed integer
 overflow.  Thanks Serhiy Storchaka.

---
 Objects/tupleobject.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

(limited to 'Objects/tupleobject.c')

diff --git a/Objects/tupleobject.c b/Objects/tupleobject.c
index b76125a1c1..9c843fa981 100644
--- a/Objects/tupleobject.c
+++ b/Objects/tupleobject.c
@@ -96,15 +96,11 @@ PyTuple_New(register Py_ssize_t size)
     else
 #endif
     {
-        Py_ssize_t nbytes = size * sizeof(PyObject *);
         /* Check for overflow */
-        if (nbytes / sizeof(PyObject *) != (size_t)size ||
-            (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) - sizeof(PyObject *)))
-        {
+        if (size > (PY_SSIZE_T_MAX - sizeof(PyTupleObject) -
+                    sizeof(PyObject *)) / sizeof(PyObject *)) {
             return PyErr_NoMemory();
         }
-        /* nbytes += sizeof(PyTupleObject) - sizeof(PyObject *); */
-
         op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
         if (op == NULL)
             return NULL;
@@ -481,9 +477,9 @@ tuplerepeat(PyTupleObject *a, Py_ssize_t n)
         if (Py_SIZE(a) == 0)
             return PyTuple_New(0);
     }
-    size = Py_SIZE(a) * n;
-    if (size/Py_SIZE(a) != n)
+    if (n > PY_SSIZE_T_MAX / Py_SIZE(a))
         return PyErr_NoMemory();
+    size = Py_SIZE(a) * n;
     np = (PyTupleObject *) PyTuple_New(size);
     if (np == NULL)
         return NULL;
-- 
cgit v1.2.1