Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-01-29 02:32:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Security patches from Apple: prevent int overflow when allocating memory

Browse source
This commit is contained in:
Neal Norwitz 2008-07-31 17:08:14 +00:00
parent 83ac0144fa
commit 4f3be8a0a9
13 changed files with 244 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

19
Objects/stringobject.c
View file

@ -75,6 +75,11 @@ PyString_FromStringAndSize(const char *str, Py_ssize_t size)
return (PyObject *)op;
}
if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
PyErr_SetString(PyExc_OverflowError, "string is too large");
return NULL;
}
/* Inline PyObject_NewVar */
op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
if (op == NULL)
@ -110,7 +115,7 @@ PyString_FromString(const char *str)
assert(str != NULL);
size = strlen(str);
if (size > PY_SSIZE_T_MAX) {
if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
PyErr_SetString(PyExc_OverflowError,
"string is too long for a Python string");
return NULL;
@ -971,14 +976,24 @@ string_concat(register PyStringObject *a, register PyObject *bb)
Py_INCREF(a);
return (PyObject *)a;
}
/* Check that string sizes are not negative, to prevent an
overflow in cases where we are passed incorrectly-created
strings with negative lengths (due to a bug in other code).
*/
size = a->ob_size + b->ob_size;
if (size < 0) {
if (a->ob_size < 0 || b->ob_size < 0 ||
a->ob_size > PY_SSIZE_T_MAX - b->ob_size) {
PyErr_SetString(PyExc_OverflowError,
"strings are too large to concat");
return NULL;
}
/* Inline PyObject_NewVar */
if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
PyErr_SetString(PyExc_OverflowError,
"strings are too large to concat");
return NULL;
}
op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
if (op == NULL)
return PyErr_NoMemory();