Gentoo Attachment #161579 for bug #232137

View | Details | Raw Unified
Collapse All | Expand All

(-) Python-2.4.4/Python/bltinmodule.c (-4 / +56 lines)

Lines 2376-2386 filterstring(PyObject func, PyObject s	Link Here

					PyString_AS_STRING(item)[0];

					PyString_AS_STRING(item)[0];

			} else {

			} else {

				/* do we need more space? */

				/* do we need more space? */

				int need = j + reslen + len-i-1;

				int need = j;

				/* calculate space requirements while checking for overflow */

				if (need > INT_MAX - reslen) {

					Py_DECREF(item);

					goto Fail_1;

				need += reslen;

				if (need > INT_MAX - len) {

					Py_DECREF(item);

					goto Fail_1;

				need += len;

				if (need <= i) {

					Py_DECREF(item);

					goto Fail_1;

				need = need - i - 1;

				assert(need >= 0);

				assert(outlen >= 0);

				if (need > outlen) {

				if (need > outlen) {

					/* overallocate, to avoid reallocations */

					/* overallocate, to avoid reallocations */

					if (need<2*outlen)

					if (outlen > INT_MAX / 2) {

						Py_DECREF(item);

						return NULL;

					if (need<2*outlen) {

						need = 2*outlen;

						need = 2*outlen;

					if (_PyString_Resize(&result, need)) {

					if (_PyString_Resize(&result, need)) {

						Py_DECREF(item);

						Py_DECREF(item);

						return NULL;

						return NULL;

Lines 2472-2482 filterunicode(PyObject func, PyObject	Link Here

			else {

			else {

				/* do we need more space? */

				/* do we need more space? */

				int need = j + reslen + len - i - 1;

				int need = j + reslen + len - i - 1;

				/* check that didnt overflow */

				if ((j > INT_MAX - reslen) ||

					((j + reslen) > INT_MAX - len) ||

						((j + reslen + len) < i) ||

							((j + reslen + len - i) <= 0)) {

					Py_DECREF(item);

					return NULL;

				assert(need >= 0);

				assert(outlen >= 0);

				if (need > outlen) {

				if (need > outlen) {

					/* overallocate,

					/* overallocate,

					   to avoid reallocations */

					   to avoid reallocations */

					if (need < 2 * outlen)

					if (need < 2 * outlen) {

						need = 2 * outlen;

						if (outlen > INT_MAX / 2) {

							Py_DECREF(item);

							return NULL;

						} else {

							need = 2 * outlen;

					if (PyUnicode_Resize(

					if (PyUnicode_Resize(

						&result, need) < 0) {

						&result, need) < 0) {

						Py_DECREF(item);

						Py_DECREF(item);

(-) Python-2.4.4/Include/pyport.h (+11 lines)

Lines 616-621 typedef struct fd_set {	Link Here

#error "LONG_BIT definition appears wrong for platform (bad gcc/glibc config?)."

#error "LONG_BIT definition appears wrong for platform (bad gcc/glibc config?)."

#endif

#endif

/* Largest possible value of size_t.

   SIZE_MAX is part of C99, so it might be defined on some

   platforms. If it is not defined, (size_t)-1 is a portable

   definition for C89, due to the way signed->unsigned

   conversion is defined. */

#ifdef SIZE_MAX

#define PY_SIZE_MAX SIZE_MAX

#else

#define PY_SIZE_MAX ((size_t)-1)

#endif

#ifdef __cplusplus

#ifdef __cplusplus

#endif

#endif

(-) Python-2.4.4/Include/pymem.h (-4 / +8 lines)

Lines 86-99 PyAPI_FUNC(void) PyMem_Free(void *);	Link Here

*/

*/

#define PyMem_New(type, n) \

#define PyMem_New(type, n) \

	( (type *) PyMem_Malloc((n) * sizeof(type)) )

  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \

	( (type *) PyMem_Malloc((n) * sizeof(type)) ) )

#define PyMem_NEW(type, n) \

#define PyMem_NEW(type, n) \

	( (type *) PyMem_MALLOC((n) * sizeof(type)) )

  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \

	( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )

#define PyMem_Resize(p, type, n) \

#define PyMem_Resize(p, type, n) \

	( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) )

  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \

	( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )

#define PyMem_RESIZE(p, type, n) \

#define PyMem_RESIZE(p, type, n) \

	( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) )

  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \

	( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )

/* In order to avoid breaking old code mixing PyObject_{New, NEW} with

/* In order to avoid breaking old code mixing PyObject_{New, NEW} with

   PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory"

   PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory"

(-) Python-2.4.4/Objects/bufferobject.c (+6 lines)

Lines 167-172 PyBuffer_New(int size)	Link Here

				"size must be zero or positive");

				"size must be zero or positive");

		return NULL;

		return NULL;

	if (sizeof(*b) > INT_MAX - size) {

		/* unlikely */

		return PyErr_NoMemory();

	/* Inline PyObject_New */

	/* Inline PyObject_New */

	o = PyObject_MALLOC(sizeof(*b) + size);

	o = PyObject_MALLOC(sizeof(*b) + size);

	if ( o == NULL )

	if ( o == NULL )

Lines 355-360 buffer_concat(PyBufferObject *self, PyOb	Link Here

	if ( (count = (*pb->bf_getreadbuffer)(other, 0, &ptr2)) < 0 )

	if ( (count = (*pb->bf_getreadbuffer)(other, 0, &ptr2)) < 0 )

		return NULL;

		return NULL;

	assert(count <= PY_SIZE_MAX - size);

 	ob = PyString_FromStringAndSize(NULL, size + count);

 	ob = PyString_FromStringAndSize(NULL, size + count);

 	p = PyString_AS_STRING(ob);

 	p = PyString_AS_STRING(ob);

 	memcpy(p, ptr1, size);

 	memcpy(p, ptr1, size);

(-) Python-2.4.4/Objects/listobject.c (-3 / +19 lines)

Lines 45-51 list_resize(PyListObject *self, int news	Link Here

	 * system realloc().

	 * system realloc().

	 * The growth pattern is:  0, 4, 8, 16, 25, 35, 46, 58, 72, 88, ...

	 * The growth pattern is:  0, 4, 8, 16, 25, 35, 46, 58, 72, 88, ...

*/

*/

	new_allocated = (newsize >> 3) + (newsize < 9 ? 3 : 6) + newsize;

	new_allocated = (newsize >> 3) + (newsize < 9 ? 3 : 6);

	/* check for integer overflow */

	if (new_allocated > PY_SIZE_MAX - newsize) {

		PyErr_NoMemory();

		return -1;

	} else {

		new_allocated += newsize;

	if (newsize == 0)

	if (newsize == 0)

		new_allocated = 0;

		new_allocated = 0;

	items = self->ob_item;

	items = self->ob_item;

Lines 92-99 PyList_New(int size)	Link Here

		return NULL;

		return NULL;

	nbytes = size * sizeof(PyObject *);

	nbytes = size * sizeof(PyObject *);

	/* Check for overflow */

	/* Check for overflow without an actual overflow,

	if (nbytes / sizeof(PyObject *) != (size_t)size)

	 *  which can cause compiler to optimise out */

	if (size > PY_SIZE_MAX / sizeof(PyObject *))

		return PyErr_NoMemory();

		return PyErr_NoMemory();

	if (num_free_lists) {

	if (num_free_lists) {

		num_free_lists--;

		num_free_lists--;

Lines 1372-1377 merge_getmem(MergeState *ms, int need)	Link Here

	 * we don't care what's in the block.

	 * we don't care what's in the block.

*/

*/

	merge_freemem(ms);

	merge_freemem(ms);

	if (need > INT_MAX / sizeof(PyObject*)) {

		PyErr_NoMemory();

		return -1;

	ms->a = (PyObject **)PyMem_Malloc(need * sizeof(PyObject*));

	ms->a = (PyObject **)PyMem_Malloc(need * sizeof(PyObject*));

	if (ms->a) {

	if (ms->a) {

		ms->alloced = need;

		ms->alloced = need;

Lines 2550-2555 list_ass_subscript(PyListObject* self, P	Link Here

				step = -step;

				step = -step;

			assert(slicelength <= PY_SIZE_MAX / sizeof(PyObject*));

			garbage = (PyObject**)

			garbage = (PyObject**)

				PyMem_MALLOC(slicelength*sizeof(PyObject*));

				PyMem_MALLOC(slicelength*sizeof(PyObject*));

			if (!garbage) {

			if (!garbage) {

(-) Python-2.4.4/Misc/NEWS (+4 lines)

Lines 23-28 What's New in Python 2.4.4c1?	Link Here

Core and builtins

Core and builtins

-----------------

-----------------

- Added checks for integer overflows, contributed by Google. Some are

  only available if asserts are left in the code, in cases where they

  can't be triggered from Python code.

- Bug #1456209: In some obscure cases it was possible for a class with a

- Bug #1456209: In some obscure cases it was possible for a class with a

  custom ``__eq__()`` method to confuse dict internals when class instances

  custom ``__eq__()`` method to confuse dict internals when class instances

  were used as a dict's keys and the ``__eq__()`` method mutated the dict.

  were used as a dict's keys and the ``__eq__()`` method mutated the dict.

(-) Python-2.4.4/Parser/node.c (+3 lines)

Lines 91-96 PyNode_AddChild(register node *n1, int t	Link Here

	if (current_capacity < 0 || required_capacity < 0)

	if (current_capacity < 0 || required_capacity < 0)

		return E_OVERFLOW;

		return E_OVERFLOW;

	if (current_capacity < required_capacity) {

	if (current_capacity < required_capacity) {

		if (required_capacity > PY_SIZE_MAX / sizeof(node)) {

			return E_NOMEM;

		n = n1->n_child;

		n = n1->n_child;

		n = (node *) PyObject_REALLOC(n,

		n = (node *) PyObject_REALLOC(n,

					      required_capacity * sizeof(node));

					      required_capacity * sizeof(node));

(-) Python-2.4.4/Modules/rgbimgmodule.c (-5 / +29 lines)

Lines 269-275 longimagedata(PyObject self, PyObject	Link Here

	Py_Int32 *starttab = NULL, *lengthtab = NULL;

	Py_Int32 *starttab = NULL, *lengthtab = NULL;

	FILE *inf = NULL;

	FILE *inf = NULL;

	IMAGE image;

	IMAGE image;

	int y, z, tablen;

	int y, z, tablen, new_size;

	int xsize, ysize, zsize;

	int xsize, ysize, zsize;

	int bpp, rle, cur, badorder;

	int bpp, rle, cur, badorder;

	int rlebuflen;

	int rlebuflen;

Lines 306-314 longimagedata(PyObject self, PyObject	Link Here

	if (rle) {

	if (rle) {

		tablen = ysize * zsize * sizeof(Py_Int32);

		tablen = ysize * zsize * sizeof(Py_Int32);

		rlebuflen = (int) (1.05 * xsize +10);

		if ((tablen / sizeof(Py_Int32)) != (ysize * zsize) ||

		    rlebuflen < 0) {

			PyErr_NoMemory();

			goto finally;

		starttab = (Py_Int32 *)malloc(tablen);

		starttab = (Py_Int32 *)malloc(tablen);

		lengthtab = (Py_Int32 *)malloc(tablen);

		lengthtab = (Py_Int32 *)malloc(tablen);

		rlebuflen = (int) (1.05 * xsize +10);

		rledat = (unsigned char *)malloc(rlebuflen);

		rledat = (unsigned char *)malloc(rlebuflen);

		if (!starttab || !lengthtab || !rledat) {

		if (!starttab || !lengthtab || !rledat) {

			PyErr_NoMemory();

			PyErr_NoMemory();

Lines 336-343 longimagedata(PyObject self, PyObject	Link Here

		fseek(inf, 512 + 2 * tablen, SEEK_SET);

		fseek(inf, 512 + 2 * tablen, SEEK_SET);

		cur = 512 + 2 * tablen;

		cur = 512 + 2 * tablen;

		new_size = xsize * ysize + TAGLEN;

		if (new_size < 0 || (new_size * sizeof(Py_Int32)) < 0) {

			PyErr_NoMemory();

			goto finally;

		rv = PyString_FromStringAndSize((char *)NULL,

		rv = PyString_FromStringAndSize((char *)NULL,

				      (xsize * ysize + TAGLEN) * sizeof(Py_Int32));

				      new_size * sizeof(Py_Int32));

		if (rv == NULL)

		if (rv == NULL)

			goto finally;

			goto finally;

Lines 405-412 longimagedata(PyObject self, PyObject	Link Here

			copybw((Py_Int32 *) base, xsize * ysize);

			copybw((Py_Int32 *) base, xsize * ysize);

	else {

	else {

		new_size = xsize * ysize + TAGLEN;

		if (new_size < 0 || (new_size * sizeof(Py_Int32)) < 0) {

			PyErr_NoMemory();

			goto finally;

		rv = PyString_FromStringAndSize((char *) 0,

		rv = PyString_FromStringAndSize((char *) 0,

					   (xsize*ysize+TAGLEN)*sizeof(Py_Int32));

						new_size*sizeof(Py_Int32));

		if (rv == NULL)

		if (rv == NULL)

			goto finally;

			goto finally;

Lines 595-604 longstoimage(PyObject self, PyObject a	Link Here

		return NULL;

		return NULL;

	tablen = ysize * zsize * sizeof(Py_Int32);

	tablen = ysize * zsize * sizeof(Py_Int32);

	rlebuflen = (int) (1.05 * xsize + 10);

	if ((tablen / sizeof(Py_Int32)) != (ysize * zsize) ||

	    rlebuflen < 0 || (xsize * sizeof(Py_Int32)) < 0) {

		PyErr_NoMemory();

		goto finally;

	starttab = (Py_Int32 *)malloc(tablen);

	starttab = (Py_Int32 *)malloc(tablen);

	lengthtab = (Py_Int32 *)malloc(tablen);

	lengthtab = (Py_Int32 *)malloc(tablen);

	rlebuflen = (int) (1.05 * xsize + 10);

	rlebuf = (unsigned char *)malloc(rlebuflen);

	rlebuf = (unsigned char *)malloc(rlebuflen);

	lumbuf = (unsigned char *)malloc(xsize * sizeof(Py_Int32));

	lumbuf = (unsigned char *)malloc(xsize * sizeof(Py_Int32));

	if (!starttab || !lengthtab || !rlebuf || !lumbuf) {

	if (!starttab || !lengthtab || !rlebuf || !lumbuf) {

(-) Python-2.4.4/Modules/datetimemodule.c (+7 lines)

Lines 1111-1116 format_utcoffset(char *buf, size_t bufle	Link Here

	char sign;

	char sign;

	int none;

	int none;

	assert(buflen >= 1);

	offset = call_utcoffset(tzinfo, tzinfoarg, &none);

	offset = call_utcoffset(tzinfo, tzinfoarg, &none);

	if (offset == -1 && PyErr_Occurred())

	if (offset == -1 && PyErr_Occurred())

		return -1;

		return -1;

Lines 1188-1193 wrap_strftime(PyObject *object, PyObject	Link Here

	 * a new format.  Since computing the replacements for those codes

	 * a new format.  Since computing the replacements for those codes

	 * is expensive, don't unless they're actually used.

	 * is expensive, don't unless they're actually used.

*/

*/

	if (PyString_Size(format) > INT_MAX - 1) {

		PyErr_NoMemory();

		goto Done;

	totalnew = PyString_Size(format) + 1;	/* realistic if no %z/%Z */

	totalnew = PyString_Size(format) + 1;	/* realistic if no %z/%Z */

	newfmt = PyString_FromStringAndSize(NULL, totalnew);

	newfmt = PyString_FromStringAndSize(NULL, totalnew);

	if (newfmt == NULL) goto Done;

	if (newfmt == NULL) goto Done;

(-) Python-2.4.4/Modules/cjkcodecs/multibytecodec.c (-3 / +17 lines)

Lines 100-111 get_errorcallback(const char *errors)	Link Here

static int

static int

expand_encodebuffer(MultibyteEncodeBuffer *buf, int esize)

expand_encodebuffer(MultibyteEncodeBuffer *buf, int esize)

	int orgpos, orgsize;

	int orgpos, orgsize, incsize;

	orgpos = (int)((char*)buf->outbuf - PyString_AS_STRING(buf->outobj));

	orgpos = (int)((char*)buf->outbuf - PyString_AS_STRING(buf->outobj));

	orgsize = PyString_GET_SIZE(buf->outobj);

	orgsize = PyString_GET_SIZE(buf->outobj);

	if (_PyString_Resize(&buf->outobj, orgsize + (

	incsize = (esize < (orgsize >> 1) ? (orgsize >> 1) | 1 : esize);

	    esize < (orgsize >> 1) ? (orgsize >> 1) | 1 : esize)) == -1)

	if (orgsize > INT_MAX - incsize)

		return -1;

	if (_PyString_Resize(&buf->outobj, orgsize + incsize) == -1)

		return -1;

		return -1;

	buf->outbuf = (unsigned char *)PyString_AS_STRING(buf->outobj) +orgpos;

	buf->outbuf = (unsigned char *)PyString_AS_STRING(buf->outobj) +orgpos;

Lines 416-421 multibytecodec_encode(MultibyteCodec *co	Link Here

	buf.excobj = NULL;

	buf.excobj = NULL;

	buf.inbuf = buf.inbuf_top = *data;

	buf.inbuf = buf.inbuf_top = *data;

	buf.inbuf_end = buf.inbuf_top + datalen;

	buf.inbuf_end = buf.inbuf_top + datalen;

	if (datalen > (INT_MAX - 16) / 2) {

		PyErr_NoMemory();

		goto errorexit;

	buf.outobj = PyString_FromStringAndSize(NULL, datalen * 2 + 16);

	buf.outobj = PyString_FromStringAndSize(NULL, datalen * 2 + 16);

	if (buf.outobj == NULL)

	if (buf.outobj == NULL)

		goto errorexit;

		goto errorexit;

Lines 725-730 mbstreamreader_iread(MultibyteStreamRead	Link Here

			PyObject *ctr;

			PyObject *ctr;

			char *ctrdata;

			char *ctrdata;

			if (PyString_GET_SIZE(cres) > INT_MAX - self->pendingsize) {

				PyErr_NoMemory();

				goto errorexit;

			rsize = PyString_GET_SIZE(cres) + self->pendingsize;

			rsize = PyString_GET_SIZE(cres) + self->pendingsize;

			ctr = PyString_FromStringAndSize(NULL, rsize);

			ctr = PyString_FromStringAndSize(NULL, rsize);

			if (ctr == NULL)

			if (ctr == NULL)

(-) Python-2.4.4/Modules/arraymodule.c (-1 / +33 lines)

Lines 651-656 array_concat(arrayobject a, PyObject b	Link Here

		PyErr_BadArgument();

		PyErr_BadArgument();

		return NULL;

		return NULL;

	if (a->ob_size > INT_MAX - b->ob_size) {

		return PyErr_NoMemory();

	size = a->ob_size + b->ob_size;

	size = a->ob_size + b->ob_size;

	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);

	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);

	if (np == NULL) {

	if (np == NULL) {

Lines 673-678 array_repeat(arrayobject *a, int n)	Link Here

	int nbytes;

	int nbytes;

	if (n < 0)

	if (n < 0)

		n = 0;

		n = 0;

	if ((a->ob_size != 0) && (n > INT_MAX / a->ob_size)) {

		return PyErr_NoMemory();

	size = a->ob_size * n;

	size = a->ob_size * n;

	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);

	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);

	if (np == NULL)

	if (np == NULL)

Lines 817-822 array_do_extend(arrayobject *self, PyObj	Link Here

			     "can only extend with array of same kind");

			     "can only extend with array of same kind");

		return -1;

		return -1;

	if ((self->ob_size > INT_MAX - b->ob_size) ||

		((self->ob_size + b->ob_size) > INT_MAX / self->ob_descr->itemsize)) {

			PyErr_NoMemory();

			return -1;

	size = self->ob_size + b->ob_size;

	size = self->ob_size + b->ob_size;

        PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);

        PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);

        if (self->ob_item == NULL) {

        if (self->ob_item == NULL) {

Lines 858-863 array_inplace_repeat(arrayobject *self,	Link Here

		if (n < 0)

		if (n < 0)

			n = 0;

			n = 0;

		items = self->ob_item;

		items = self->ob_item;

		if ((self->ob_descr->itemsize != 0) &&

			(self->ob_size > INT_MAX / self->ob_descr->itemsize)) {

			return PyErr_NoMemory();

		size = self->ob_size * self->ob_descr->itemsize;

		size = self->ob_size * self->ob_descr->itemsize;

		if (n == 0) {

		if (n == 0) {

			PyMem_FREE(items);

			PyMem_FREE(items);

Lines 866-871 array_inplace_repeat(arrayobject *self,	Link Here

			self->allocated = 0;

			self->allocated = 0;

		else {

		else {

			if (size > INT_MAX / n) {

				return PyErr_NoMemory();

			PyMem_Resize(items, char, n * size);

			PyMem_Resize(items, char, n * size);

			if (items == NULL)

			if (items == NULL)

				return PyErr_NoMemory();

				return PyErr_NoMemory();

Lines 1278-1283 array_fromlist(arrayobject *self, PyObje	Link Here

			if ((*self->ob_descr->setitem)(self,

			if ((*self->ob_descr->setitem)(self,

					self->ob_size - n + i, v) != 0) {

					self->ob_size - n + i, v) != 0) {

				self->ob_size -= n;

				self->ob_size -= n;

				if (itemsize && (self->ob_size > INT_MAX / itemsize)) {

					return PyErr_NoMemory();

				PyMem_RESIZE(item, char,

				PyMem_RESIZE(item, char,

					          self->ob_size * itemsize);

					          self->ob_size * itemsize);

				self->ob_item = item;

				self->ob_item = item;

Lines 1337-1342 array_fromstring(arrayobject *self, PyOb	Link Here

	n = n / itemsize;

	n = n / itemsize;

	if (n > 0) {

	if (n > 0) {

		char *item = self->ob_item;

		char *item = self->ob_item;

		if ((n > INT_MAX - self->ob_size) ||

			((self->ob_size + n) > INT_MAX / itemsize)) {

				return PyErr_NoMemory();

		PyMem_RESIZE(item, char, (self->ob_size + n) * itemsize);

		PyMem_RESIZE(item, char, (self->ob_size + n) * itemsize);

		if (item == NULL) {

		if (item == NULL) {

			PyErr_NoMemory();

			PyErr_NoMemory();

Lines 1362-1369 values,as if it had been read from a fil	Link Here

static PyObject *

static PyObject *

array_tostring(arrayobject *self, PyObject *unused)

array_tostring(arrayobject *self, PyObject *unused)

	return PyString_FromStringAndSize(self->ob_item,

	if (self->ob_size <= INT_MAX / self->ob_descr->itemsize) {

		return PyString_FromStringAndSize(self->ob_item,

				    self->ob_size * self->ob_descr->itemsize);

				    self->ob_size * self->ob_descr->itemsize);

	} else {

		return PyErr_NoMemory();

PyDoc_STRVAR(tostring_doc,

PyDoc_STRVAR(tostring_doc,

Lines 1391-1396 array_fromunicode(arrayobject *self, PyO	Link Here

	if (n > 0) {

	if (n > 0) {

		Py_UNICODE *item = (Py_UNICODE *) self->ob_item;

		Py_UNICODE *item = (Py_UNICODE *) self->ob_item;

		if (self->ob_size > INT_MAX - n) {

			return PyErr_NoMemory();

		PyMem_RESIZE(item, Py_UNICODE, self->ob_size + n);

		PyMem_RESIZE(item, Py_UNICODE, self->ob_size + n);

		if (item == NULL) {

		if (item == NULL) {

			PyErr_NoMemory();

			PyErr_NoMemory();

(-) Python-2.4.4/Modules/cStringIO.c (+11 lines)

Lines 121-126 PyDoc_STRVAR(IO_getval__doc__,	Link Here

static PyObject *

static PyObject *

IO_cgetval(PyObject *self) {

IO_cgetval(PyObject *self) {

        UNLESS (IO__opencheck(IOOOBJECT(self))) return NULL;

        UNLESS (IO__opencheck(IOOOBJECT(self))) return NULL;

	assert(IOOOBJECT(self)->pos >= 0);

        return PyString_FromStringAndSize(((IOobject*)self)->buf,

        return PyString_FromStringAndSize(((IOobject*)self)->buf,

                                          ((IOobject*)self)->pos);

                                          ((IOobject*)self)->pos);

Lines 139-144 IO_getval(IOobject self, PyObject args	Link Here

        else

        else

                  s=self->string_size;

                  s=self->string_size;

        assert(self->pos >= 0);

        return PyString_FromStringAndSize(self->buf, s);

        return PyString_FromStringAndSize(self->buf, s);

Lines 158-163 IO_cread(PyObject self, char *output,	Link Here

        int l;

        int l;

        UNLESS (IO__opencheck(IOOOBJECT(self))) return -1;

        UNLESS (IO__opencheck(IOOOBJECT(self))) return -1;

        assert(IOOOBJECT(self)->pos >= 0);

        assert(IOOOBJECT(self)->string_size >= 0);

        l = ((IOobject*)self)->string_size - ((IOobject*)self)->pos;

        l = ((IOobject*)self)->string_size - ((IOobject*)self)->pos;

        if (n < 0 || n > l) {

        if (n < 0 || n > l) {

                n = l;

                n = l;

Lines 197-202 IO_creadline(PyObject self, char *outp	Link Here

        *output=((IOobject*)self)->buf + ((IOobject*)self)->pos;

        *output=((IOobject*)self)->buf + ((IOobject*)self)->pos;

        l = n - ((IOobject*)self)->buf - ((IOobject*)self)->pos;

        l = n - ((IOobject*)self)->buf - ((IOobject*)self)->pos;

        assert(IOOOBJECT(self)->pos <= INT_MAX - l);

        assert(IOOOBJECT(self)->pos >= 0);

        assert(IOOOBJECT(self)->string_size >= 0);

        ((IOobject*)self)->pos += l;

        ((IOobject*)self)->pos += l;

        return l;

        return l;

Lines 215-220 IO_readline(IOobject self, PyObject ar	Link Here

                n -= m;

                n -= m;

                self->pos -= m;

                self->pos -= m;

        assert(IOOOBJECT(self)->pos >= 0);

        return PyString_FromStringAndSize(output, n);

        return PyString_FromStringAndSize(output, n);

Lines 277-282 IO_tell(IOobject self, PyObject unused	Link Here

        UNLESS (IO__opencheck(self)) return NULL;

        UNLESS (IO__opencheck(self)) return NULL;

        assert(self->pos >= 0);

        return PyInt_FromLong(self->pos);

        return PyInt_FromLong(self->pos);

(-) Python-2.4.4/Modules/stropmodule.c (-4 / +15 lines)

Lines 576-582 strop_expandtabs(PyObject *self, PyObjec	Link Here

	char* e;

	char* e;

	char* p;

	char* p;

	char* q;

	char* q;

	int i, j;

	int i, j, old_j;

	PyObject* out;

	PyObject* out;

	char* string;

	char* string;

	int stringlen;

	int stringlen;

Lines 593-604 strop_expandtabs(PyObject *self, PyObjec	Link Here

	/* First pass: determine size of output string */

	/* First pass: determine size of output string */

	i = j = 0; /* j: current column; i: total of previous lines */

	i = j = old_j = 0; /* j: current column; i: total of previous lines */

	e = string + stringlen;

	e = string + stringlen;

	for (p = string; p < e; p++) {

	for (p = string; p < e; p++) {

		if (*p == '\t')

		if (*p == '\t') {

			j += tabsize - (j%tabsize);

			j += tabsize - (j%tabsize);

		else {

			if (old_j > j) {

				PyErr_SetString(PyExc_OverflowError,

						"new string is too long");

				return NULL;

			old_j = j;

		} else {

			j++;

			j++;

			if (*p == '\n') {

			if (*p == '\n') {

				i += j;

				i += j;

Lines 607-612 strop_expandtabs(PyObject *self, PyObjec	Link Here

	if ((i + j) < 0) {

		PyErr_SetString(PyExc_OverflowError, "new string is too long");

		return NULL;

	/* Second pass: create output string and fill it */

	/* Second pass: create output string and fill it */

	out = PyString_FromStringAndSize(NULL, i+j);

	out = PyString_FromStringAndSize(NULL, i+j);

	if (out == NULL)

	if (out == NULL)

(-) Python-2.4.4/Modules/binascii.c (-2 / +38 lines)

Lines 194-199 binascii_a2b_uu(PyObject *self, PyObject	Link Here

	if ( !PyArg_ParseTuple(args, "t#:a2b_uu", &ascii_data, &ascii_len) )

	if ( !PyArg_ParseTuple(args, "t#:a2b_uu", &ascii_data, &ascii_len) )

		return NULL;

		return NULL;

	assert(ascii_len >= 0);

	/* First byte: binary data length (in bytes) */

	/* First byte: binary data length (in bytes) */

	bin_len = (*ascii_data++ - ' ') & 077;

	bin_len = (*ascii_data++ - ' ') & 077;

	ascii_len--;

	ascii_len--;

Lines 347-352 binascii_a2b_base64(PyObject *self, PyOb	Link Here

	if ( !PyArg_ParseTuple(args, "t#:a2b_base64", &ascii_data, &ascii_len) )

	if ( !PyArg_ParseTuple(args, "t#:a2b_base64", &ascii_data, &ascii_len) )

		return NULL;

		return NULL;

	assert(ascii_len >= 0);

	if (ascii_len > INT_MAX - 3)

		return PyErr_NoMemory();

	bin_len = ((ascii_len+3)/4)*3; /* Upper bound, corrected later */

	bin_len = ((ascii_len+3)/4)*3; /* Upper bound, corrected later */

	/* Allocate the buffer */

	/* Allocate the buffer */

Lines 436-441 binascii_b2a_base64(PyObject *self, PyOb	Link Here

	if ( !PyArg_ParseTuple(args, "s#:b2a_base64", &bin_data, &bin_len) )

	if ( !PyArg_ParseTuple(args, "s#:b2a_base64", &bin_data, &bin_len) )

		return NULL;

		return NULL;

	assert(bin_len >= 0);

	if ( bin_len > BASE64_MAXBIN ) {

	if ( bin_len > BASE64_MAXBIN ) {

		PyErr_SetString(Error, "Too much data for base64 line");

		PyErr_SetString(Error, "Too much data for base64 line");

		return NULL;

		return NULL;

Lines 491-496 binascii_a2b_hqx(PyObject *self, PyObjec	Link Here

	if ( !PyArg_ParseTuple(args, "t#:a2b_hqx", &ascii_data, &len) )

	if ( !PyArg_ParseTuple(args, "t#:a2b_hqx", &ascii_data, &len) )

		return NULL;

		return NULL;

	assert(len >= 0);

	if (len > INT_MAX - 2)

		return PyErr_NoMemory();

	/* Allocate a string that is too big (fixed later)

	/* Allocate a string that is too big (fixed later)

	   Add two to the initial length to prevent interning which

	   Add two to the initial length to prevent interning which

	   would preclude subsequent resizing.  */

	   would preclude subsequent resizing.  */

Lines 554-559 binascii_rlecode_hqx(PyObject *self, PyO	Link Here

	if ( !PyArg_ParseTuple(args, "s#:rlecode_hqx", &in_data, &len) )

	if ( !PyArg_ParseTuple(args, "s#:rlecode_hqx", &in_data, &len) )

		return NULL;

		return NULL;

	assert(len >= 0);

	if (len > INT_MAX / 2 - 2)

		return PyErr_NoMemory();

	/* Worst case: output is twice as big as input (fixed later) */

	/* Worst case: output is twice as big as input (fixed later) */

	if ( (rv=PyString_FromStringAndSize(NULL, len*2+2)) == NULL )

	if ( (rv=PyString_FromStringAndSize(NULL, len*2+2)) == NULL )

		return NULL;

		return NULL;

Lines 603-608 binascii_b2a_hqx(PyObject *self, PyObjec	Link Here

	if ( !PyArg_ParseTuple(args, "s#:b2a_hqx", &bin_data, &len) )

	if ( !PyArg_ParseTuple(args, "s#:b2a_hqx", &bin_data, &len) )

		return NULL;

		return NULL;

	assert(len >= 0);

	if (len > INT_MAX / 2 - 2)

		return PyErr_NoMemory();

	/* Allocate a buffer that is at least large enough */

	/* Allocate a buffer that is at least large enough */

	if ( (rv=PyString_FromStringAndSize(NULL, len*2+2)) == NULL )

	if ( (rv=PyString_FromStringAndSize(NULL, len*2+2)) == NULL )

		return NULL;

		return NULL;

Lines 641-649 binascii_rledecode_hqx(PyObject *self, P	Link Here

	if ( !PyArg_ParseTuple(args, "s#:rledecode_hqx", &in_data, &in_len) )

	if ( !PyArg_ParseTuple(args, "s#:rledecode_hqx", &in_data, &in_len) )

		return NULL;

		return NULL;

	assert(in_len >= 0);

	/* Empty string is a special case */

	/* Empty string is a special case */

	if ( in_len == 0 )

	if ( in_len == 0 )

		return Py_BuildValue("s", "");

		return Py_BuildValue("s", "");

	else if (in_len > INT_MAX / 2)

		return PyErr_NoMemory();

	/* Allocate a buffer of reasonable size. Resized when needed */

	/* Allocate a buffer of reasonable size. Resized when needed */

	out_len = in_len*2;

	out_len = in_len*2;

Lines 669-674 binascii_rledecode_hqx(PyObject *self, P	Link Here

#define OUTBYTE(b) \

#define OUTBYTE(b) \

	do { \

	do { \

		 if ( --out_len_left < 0 ) { \

		 if ( --out_len_left < 0 ) { \

			  if ( out_len > INT_MAX / 2) return PyErr_NoMemory(); \

			  _PyString_Resize(&rv, 2*out_len); \

			  _PyString_Resize(&rv, 2*out_len); \

			  if ( rv == NULL ) return NULL; \

			  if ( rv == NULL ) return NULL; \

			  out_data = (unsigned char *)PyString_AsString(rv) \

			  out_data = (unsigned char *)PyString_AsString(rv) \

Lines 737-743 binascii_crc_hqx(PyObject *self, PyObjec	Link Here

	if ( !PyArg_ParseTuple(args, "s#i:crc_hqx", &bin_data, &len, &crc) )

	if ( !PyArg_ParseTuple(args, "s#i:crc_hqx", &bin_data, &len, &crc) )

		return NULL;

		return NULL;

	while(len--) {

	while(len-- > 0) {

		crc=((crc<<8)&0xff00)^crctab_hqx[((crc>>8)&0xff)^*bin_data++];

		crc=((crc<<8)&0xff00)^crctab_hqx[((crc>>8)&0xff)^*bin_data++];

Lines 881-887 binascii_crc32(PyObject *self, PyObject	Link Here

	/* only want the trailing 32 bits */

	/* only want the trailing 32 bits */

	crc &= 0xFFFFFFFFUL;

	crc &= 0xFFFFFFFFUL;

#endif

#endif

	while (len--)

	while (len-- > 0)

		crc = crc_32_tab[(crc ^ *bin_data++) & 0xffUL] ^ (crc >> 8);

		crc = crc_32_tab[(crc ^ *bin_data++) & 0xffUL] ^ (crc >> 8);

		/* Note:  (crc >> 8) MUST zero fill on left */

		/* Note:  (crc >> 8) MUST zero fill on left */

Lines 911-916 binascii_hexlify(PyObject *self, PyObjec	Link Here

	if (!PyArg_ParseTuple(args, "s#:b2a_hex", &argbuf, &arglen))

	if (!PyArg_ParseTuple(args, "s#:b2a_hex", &argbuf, &arglen))

		return NULL;

		return NULL;

	assert(arglen >= 0);

	if (arglen > INT_MAX / 2)

		return PyErr_NoMemory();

	retval = PyString_FromStringAndSize(NULL, arglen*2);

	retval = PyString_FromStringAndSize(NULL, arglen*2);

	if (!retval)

	if (!retval)

		return NULL;

		return NULL;

Lines 968-973 binascii_unhexlify(PyObject *self, PyObj	Link Here

	if (!PyArg_ParseTuple(args, "s#:a2b_hex", &argbuf, &arglen))

	if (!PyArg_ParseTuple(args, "s#:a2b_hex", &argbuf, &arglen))

		return NULL;

		return NULL;

	assert(arglen >= 0);

	/* XXX What should we do about strings with an odd length?  Should

	/* XXX What should we do about strings with an odd length?  Should

	 * we add an implicit leading zero, or a trailing zero?  For now,

	 * we add an implicit leading zero, or a trailing zero?  For now,

	 * raise an exception.

	 * raise an exception.

(-) Python-2.4.4/Modules/audioop.c (-12 / +44 lines)

Lines 674-680 static PyObject *	Link Here

audioop_tostereo(PyObject *self, PyObject *args)

audioop_tostereo(PyObject *self, PyObject *args)

	signed char *cp, *ncp;

	signed char *cp, *ncp;

	int len, size, val1, val2, val = 0;

	int len, new_len, size, val1, val2, val = 0;

	double fac1, fac2, fval, maxval;

	double fac1, fac2, fval, maxval;

	PyObject *rv;

	PyObject *rv;

	int i;

	int i;

Lines 690-696 audioop_tostereo(PyObject *self, PyObjec	Link Here

		return 0;

		return 0;

	rv = PyString_FromStringAndSize(NULL, len*2);

	new_len = len*2;

	if (new_len < 0) {

		PyErr_SetString(PyExc_MemoryError,

				"not enough memory for output buffer");

		return 0;

	rv = PyString_FromStringAndSize(NULL, new_len);

	if ( rv == 0 )

	if ( rv == 0 )

		return 0;

		return 0;

	ncp = (signed char *)PyString_AsString(rv);

	ncp = (signed char *)PyString_AsString(rv);

Lines 853-859 audioop_lin2lin(PyObject *self, PyObject	Link Here

	signed char *cp;

	signed char *cp;

	unsigned char *ncp;

	unsigned char *ncp;

	int len, size, size2, val = 0;

	int len, new_len, size, size2, val = 0;

	PyObject *rv;

	PyObject *rv;

	int i, j;

	int i, j;

Lines 867-873 audioop_lin2lin(PyObject *self, PyObject	Link Here

		return 0;

		return 0;

	rv = PyString_FromStringAndSize(NULL, (len/size)*size2);

	new_len = (len/size)*size2;

	if (new_len < 0) {

		PyErr_SetString(PyExc_MemoryError,

				"not enough memory for output buffer");

		return 0;

	rv = PyString_FromStringAndSize(NULL, new_len);

	if ( rv == 0 )

	if ( rv == 0 )

		return 0;

		return 0;

	ncp = (unsigned char *)PyString_AsString(rv);

	ncp = (unsigned char *)PyString_AsString(rv);

Lines 903-908 audioop_ratecv(PyObject *self, PyObject	Link Here

	int chan, d, *prev_i, *cur_i, cur_o;

	int chan, d, *prev_i, *cur_i, cur_o;

	PyObject *state, *samps, *str, *rv = NULL;

	PyObject *state, *samps, *str, *rv = NULL;

	int bytes_per_frame;

	int bytes_per_frame;

	size_t alloc_size;

	weightA = 1;

	weightA = 1;

	weightB = 0;

	weightB = 0;

Lines 944-951 audioop_ratecv(PyObject *self, PyObject	Link Here

	inrate /= d;

	inrate /= d;

	outrate /= d;

	outrate /= d;

	prev_i = (int *) malloc(nchannels * sizeof(int));

	alloc_size = sizeof(int) * (unsigned)nchannels;

	cur_i = (int *) malloc(nchannels * sizeof(int));

	if (alloc_size < nchannels) {

		PyErr_SetString(PyExc_MemoryError,

				"not enough memory for output buffer");

		return 0;

	prev_i = (int *) malloc(alloc_size);

	cur_i = (int *) malloc(alloc_size);

	if (prev_i == NULL || cur_i == NULL) {

	if (prev_i == NULL || cur_i == NULL) {

		(void) PyErr_NoMemory();

		(void) PyErr_NoMemory();

		goto exit;

		goto exit;

Lines 1116-1122 audioop_ulaw2lin(PyObject *self, PyObjec	Link Here

	unsigned char *cp;

	unsigned char *cp;

	unsigned char cval;

	unsigned char cval;

	signed char *ncp;

	signed char *ncp;

	int len, size, val;

	int len, new_len, size, val;

	PyObject *rv;

	PyObject *rv;

	int i;

	int i;

Lines 1129-1140 audioop_ulaw2lin(PyObject *self, PyObjec	Link Here

		return 0;

		return 0;

	rv = PyString_FromStringAndSize(NULL, len*size);

	new_len = len*size;

	if (new_len < 0) {

		PyErr_SetString(PyExc_MemoryError,

			"not enough memory for output buffer");

		return 0;

	rv = PyString_FromStringAndSize(NULL, new_len);

	if ( rv == 0 )

	if ( rv == 0 )

		return 0;

		return 0;

	ncp = (signed char *)PyString_AsString(rv);

	ncp = (signed char *)PyString_AsString(rv);

	for ( i=0; i < len*size; i += size ) {

	for ( i=0; i < new_len; i += size ) {

		cval = *cp++;

		cval = *cp++;

		val = st_ulaw_to_linear(cval);

		val = st_ulaw_to_linear(cval);

Lines 1259-1265 audioop_adpcm2lin(PyObject *self, PyObje	Link Here

	signed char *cp;

	signed char *cp;

	signed char *ncp;

	signed char *ncp;

	int len, size, valpred, step, delta, index, sign, vpdiff;

	int len, new_len, size, valpred, step, delta, index, sign, vpdiff;

	PyObject *rv, *str, *state;

	PyObject *rv, *str, *state;

	int i, inputbuffer = 0, bufferstep;

	int i, inputbuffer = 0, bufferstep;

Lines 1281-1287 audioop_adpcm2lin(PyObject *self, PyObje	Link Here

	} else if ( !PyArg_Parse(state, "(ii)", &valpred, &index) )

	} else if ( !PyArg_Parse(state, "(ii)", &valpred, &index) )

		return 0;

		return 0;

	str = PyString_FromStringAndSize(NULL, len*size*2);

	new_len = len*size*2;

	if (new_len < 0) {

		PyErr_SetString(PyExc_MemoryError,

				"not enough memory for output buffer");

		return 0;

	str = PyString_FromStringAndSize(NULL, new_len);

	if ( str == 0 )

	if ( str == 0 )

		return 0;

		return 0;

	ncp = (signed char *)PyString_AsString(str);

	ncp = (signed char *)PyString_AsString(str);

Lines 1289-1295 audioop_adpcm2lin(PyObject *self, PyObje	Link Here

	step = stepsizeTable[index];

	step = stepsizeTable[index];

	bufferstep = 0;

	bufferstep = 0;

	for ( i=0; i < len*size*2; i += size ) {

	for ( i=0; i < new_len; i += size ) {

		/* Step 1 - get the delta value and compute next index */

		/* Step 1 - get the delta value and compute next index */

		if ( bufferstep ) {

		if ( bufferstep ) {

			delta = inputbuffer & 0xf;

			delta = inputbuffer & 0xf;

(-) Python-2.4.4/Modules/cPickle.c (+16 lines)

Lines 3419-3424 load_binstring(Unpicklerobject *self)	Link Here

	if (self->read_func(self, &s, 4) < 0) return -1;

	if (self->read_func(self, &s, 4) < 0) return -1;

	l = calc_binint(s, 4);

	l = calc_binint(s, 4);

	if (l < 0) {

		/* Corrupt or hostile pickle -- we never write one like

		 * this.

*/

		PyErr_SetString(UnpicklingError,

				"BINSTRING pickle has negative byte count");

		return -1;

	if (self->read_func(self, &s, l) < 0)

	if (self->read_func(self, &s, l) < 0)

		return -1;

		return -1;

Lines 3486-3491 load_binunicode(Unpicklerobject *self)	Link Here

	if (self->read_func(self, &s, 4) < 0) return -1;

	if (self->read_func(self, &s, 4) < 0) return -1;

	l = calc_binint(s, 4);

	l = calc_binint(s, 4);

	if (l < 0) {

		/* Corrupt or hostile pickle -- we never write one like

		 * this.

*/

		PyErr_SetString(UnpicklingError,

				"BINUNICODE pickle has negative byte count");

		return -1;

	if (self->read_func(self, &s, l) < 0)

	if (self->read_func(self, &s, l) < 0)

		return -1;

		return -1;

(-) Python-2.4.4/Modules/_csv.c (+10 lines)

Lines 470-475 parse_grow_buff(ReaderObj *self)	Link Here

		self->field = PyMem_Malloc(self->field_size);

		self->field = PyMem_Malloc(self->field_size);

	else {

	else {

		if (self->field_size > INT_MAX / 2) {

			PyErr_NoMemory();

			return 0;

		self->field_size *= 2;

		self->field_size *= 2;

		self->field = PyMem_Realloc(self->field, self->field_size);

		self->field = PyMem_Realloc(self->field, self->field_size);

Lines 1003-1008 join_append_data(WriterObj self, char	Link Here

static int

static int

join_check_rec_size(WriterObj *self, int rec_len)

join_check_rec_size(WriterObj *self, int rec_len)

	if (rec_len < 0 || rec_len > INT_MAX - MEM_INCR) {

		PyErr_NoMemory();

		return 0;

	if (rec_len > self->rec_size) {

	if (rec_len > self->rec_size) {

		if (self->rec_size == 0) {

		if (self->rec_size == 0) {

			self->rec_size = (rec_len / MEM_INCR + 1) * MEM_INCR;

			self->rec_size = (rec_len / MEM_INCR + 1) * MEM_INCR;

Attachment #161579: python-2.4.4-CVE-2008-3143.patch for bug #232137