Attachment #161579 for bug #232137




					PyString_AS_STRING(item)[0];
			} else {
				/* do we need more space? */
				int need = j;

				/* calculate space requirements while checking for overflow */
				if (need > INT_MAX - reslen) {
					Py_DECREF(item);
					goto Fail_1;
				}

				need += reslen;

				if (need > INT_MAX - len) {
					Py_DECREF(item);
					goto Fail_1;
				}

				need += len;

				if (need <= i) {
					Py_DECREF(item);
					goto Fail_1;
				}

				need = need - i - 1;

				assert(need >= 0);
				assert(outlen >= 0);

				if (need > outlen) {
					/* overallocate, to avoid reallocations */
					if (outlen > INT_MAX / 2) {
						Py_DECREF(item);
						return NULL;
					}

					if (need<2*outlen) {
						need = 2*outlen;
          }
					if (_PyString_Resize(&result, need)) {
						Py_DECREF(item);
						return NULL;

			else {
				/* do we need more space? */
				int need = j + reslen + len - i - 1;

				/* check that didnt overflow */
				if ((j > INT_MAX - reslen) ||
					((j + reslen) > INT_MAX - len) ||
						((j + reslen + len) < i) ||
							((j + reslen + len - i) <= 0)) {
					Py_DECREF(item);
					return NULL;
				}

				assert(need >= 0);
				assert(outlen >= 0);

				if (need > outlen) {
					/* overallocate, 
					   to avoid reallocations */
					if (need < 2 * outlen) {
						if (outlen > INT_MAX / 2) {
							Py_DECREF(item);
							return NULL;
						} else {
							need = 2 * outlen;
						}
					}

					if (PyUnicode_Resize(
						&result, need) < 0) {
						Py_DECREF(item);




#error "LONG_BIT definition appears wrong for platform (bad gcc/glibc config?)."
#endif

/* Largest possible value of size_t.
   SIZE_MAX is part of C99, so it might be defined on some
   platforms. If it is not defined, (size_t)-1 is a portable
   definition for C89, due to the way signed->unsigned
   conversion is defined. */
#ifdef SIZE_MAX
#define PY_SIZE_MAX SIZE_MAX
#else
#define PY_SIZE_MAX ((size_t)-1)
#endif

#ifdef __cplusplus
}
#endif




 */

#define PyMem_New(type, n) \
  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
	( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
#define PyMem_NEW(type, n) \
  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
	( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )

#define PyMem_Resize(p, type, n) \
  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
	( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
#define PyMem_RESIZE(p, type, n) \
  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
	( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )

/* In order to avoid breaking old code mixing PyObject_{New, NEW} with
   PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory"

Lines 167-172 PyBuffer_New(int size) Link Here

(-)Python-2.4.4/Objects/bufferobject.c (+6 lines)
167	"size must be zero or positive");	167	"size must be zero or positive");
168	return NULL;	168	return NULL;
169	}	169	}
		170	if (sizeof(*b) > INT_MAX - size) {
		171	/* unlikely */
		172	return PyErr_NoMemory();
		173	}
170	/* Inline PyObject_New */	174	/* Inline PyObject_New */
171	o = PyObject_MALLOC(sizeof(*b) + size);	175	o = PyObject_MALLOC(sizeof(*b) + size);
172	if ( o == NULL )	176	if ( o == NULL )
Lines 355-360 buffer_concat(PyBufferObject *self, PyOb Link Here
355	if ( (count = (*pb->bf_getreadbuffer)(other, 0, &ptr2)) < 0 )	359	if ( (count = (*pb->bf_getreadbuffer)(other, 0, &ptr2)) < 0 )
356	return NULL;	360	return NULL;
357		361
		362	assert(count <= PY_SIZE_MAX - size);
		363
358	ob = PyString_FromStringAndSize(NULL, size + count);	364	ob = PyString_FromStringAndSize(NULL, size + count);
359	p = PyString_AS_STRING(ob);	365	p = PyString_AS_STRING(ob);
360	memcpy(p, ptr1, size);	366	memcpy(p, ptr1, size);




	 * system realloc().
	 * The growth pattern is:  0, 4, 8, 16, 25, 35, 46, 58, 72, 88, ...
	 */
	new_allocated = (newsize >> 3) + (newsize < 9 ? 3 : 6);

	/* check for integer overflow */
	if (new_allocated > PY_SIZE_MAX - newsize) {
		PyErr_NoMemory();
		return -1;
	} else {
		new_allocated += newsize;
	}

	if (newsize == 0)
		new_allocated = 0;
	items = self->ob_item;

		return NULL;
	}
	nbytes = size * sizeof(PyObject *);
	/* Check for overflow without an actual overflow,
	 *  which can cause compiler to optimise out */
	if (size > PY_SIZE_MAX / sizeof(PyObject *))
		return PyErr_NoMemory();
	if (num_free_lists) {
		num_free_lists--;

	 * we don't care what's in the block.
	 */
	merge_freemem(ms);
	if (need > INT_MAX / sizeof(PyObject*)) {
		PyErr_NoMemory();
		return -1;
	}
	ms->a = (PyObject **)PyMem_Malloc(need * sizeof(PyObject*));
	if (ms->a) {
		ms->alloced = need;

				step = -step;
			}

			assert(slicelength <= PY_SIZE_MAX / sizeof(PyObject*));

			garbage = (PyObject**)
				PyMem_MALLOC(slicelength*sizeof(PyObject*));
			if (!garbage) {

Lines 23-28 What's New in Python 2.4.4c1? Link Here

(-)Python-2.4.4/Misc/NEWS (+4 lines)
23	Core and builtins	23	Core and builtins
24	-----------------	24	-----------------
25		25
		26	- Added checks for integer overflows, contributed by Google. Some are
		27	only available if asserts are left in the code, in cases where they
		28	can't be triggered from Python code.
		29
26	- Bug #1456209: In some obscure cases it was possible for a class with a	30	- Bug #1456209: In some obscure cases it was possible for a class with a
27	custom ``__eq__()`` method to confuse dict internals when class instances	31	custom ``__eq__()`` method to confuse dict internals when class instances
28	were used as a dict's keys and the ``__eq__()`` method mutated the dict.	32	were used as a dict's keys and the ``__eq__()`` method mutated the dict.

Lines 91-96 PyNode_AddChild(register node *n1, int t Link Here

(-)Python-2.4.4/Parser/node.c (+3 lines)
91	if (current_capacity < 0 \|\| required_capacity < 0)	91	if (current_capacity < 0 \|\| required_capacity < 0)
92	return E_OVERFLOW;	92	return E_OVERFLOW;
93	if (current_capacity < required_capacity) {	93	if (current_capacity < required_capacity) {
		94	if (required_capacity > PY_SIZE_MAX / sizeof(node)) {
		95	return E_NOMEM;
		96	}
94	n = n1->n_child;	97	n = n1->n_child;
95	n = (node *) PyObject_REALLOC(n,	98	n = (node *) PyObject_REALLOC(n,
96	required_capacity * sizeof(node));	99	required_capacity * sizeof(node));

Lines 269-275 longimagedata(PyObject self, PyObject Link Here

(-)Python-2.4.4/Modules/rgbimgmodule.c (-5 / +29 lines)
269	Py_Int32 starttab = NULL, lengthtab = NULL;	269	Py_Int32 starttab = NULL, lengthtab = NULL;
270	FILE *inf = NULL;	270	FILE *inf = NULL;
271	IMAGE image;	271	IMAGE image;
272	int y, z, tablen;	272	int y, z, tablen, new_size;
273	int xsize, ysize, zsize;	273	int xsize, ysize, zsize;
274	int bpp, rle, cur, badorder;	274	int bpp, rle, cur, badorder;
275	int rlebuflen;	275	int rlebuflen;
Lines 306-314 longimagedata(PyObject self, PyObject Link Here
306	}	306	}
307	if (rle) {	307	if (rle) {
308	tablen = ysize * zsize * sizeof(Py_Int32);	308	tablen = ysize * zsize * sizeof(Py_Int32);
		309	rlebuflen = (int) (1.05 * xsize +10);
		310	if ((tablen / sizeof(Py_Int32)) != (ysize * zsize) \|\|
		311	rlebuflen < 0) {
		312	PyErr_NoMemory();
		313	goto finally;
		314	}
		315
309	starttab = (Py_Int32 *)malloc(tablen);	316	starttab = (Py_Int32 *)malloc(tablen);
310	lengthtab = (Py_Int32 *)malloc(tablen);	317	lengthtab = (Py_Int32 *)malloc(tablen);
311	rlebuflen = (int) (1.05 * xsize +10);
312	rledat = (unsigned char *)malloc(rlebuflen);	318	rledat = (unsigned char *)malloc(rlebuflen);
313	if (!starttab \|\| !lengthtab \|\| !rledat) {	319	if (!starttab \|\| !lengthtab \|\| !rledat) {
314	PyErr_NoMemory();	320	PyErr_NoMemory();
Lines 336-343 longimagedata(PyObject self, PyObject Link Here
336		342
337	fseek(inf, 512 + 2 * tablen, SEEK_SET);	343	fseek(inf, 512 + 2 * tablen, SEEK_SET);
338	cur = 512 + 2 * tablen;	344	cur = 512 + 2 * tablen;
		345	new_size = xsize * ysize + TAGLEN;
		346	if (new_size < 0 \|\| (new_size * sizeof(Py_Int32)) < 0) {
		347	PyErr_NoMemory();
		348	goto finally;
		349	}
		350
339	rv = PyString_FromStringAndSize((char *)NULL,	351	rv = PyString_FromStringAndSize((char *)NULL,
340	(xsize * ysize + TAGLEN) * sizeof(Py_Int32));	352	new_size * sizeof(Py_Int32));
341	if (rv == NULL)	353	if (rv == NULL)
342	goto finally;	354	goto finally;
343		355
Lines 405-412 longimagedata(PyObject self, PyObject Link Here
405	copybw((Py_Int32 ) base, xsize ysize);	417	copybw((Py_Int32 ) base, xsize ysize);
406	}	418	}
407	else {	419	else {
		420	new_size = xsize * ysize + TAGLEN;
		421	if (new_size < 0 \|\| (new_size * sizeof(Py_Int32)) < 0) {
		422	PyErr_NoMemory();
		423	goto finally;
		424	}
		425
408	rv = PyString_FromStringAndSize((char *) 0,	426	rv = PyString_FromStringAndSize((char *) 0,
409	(xsizeysize+TAGLEN)sizeof(Py_Int32));	427	new_size*sizeof(Py_Int32));
410	if (rv == NULL)	428	if (rv == NULL)
411	goto finally;	429	goto finally;
412		430
Lines 595-604 longstoimage(PyObject self, PyObject a Link Here
595	return NULL;	613	return NULL;
596	}	614	}
597	tablen = ysize * zsize * sizeof(Py_Int32);	615	tablen = ysize * zsize * sizeof(Py_Int32);
		616	rlebuflen = (int) (1.05 * xsize + 10);
		617
		618	if ((tablen / sizeof(Py_Int32)) != (ysize * zsize) \|\|
		619	rlebuflen < 0 \|\| (xsize * sizeof(Py_Int32)) < 0) {
		620	PyErr_NoMemory();
		621	goto finally;
		622	}
598		623
599	starttab = (Py_Int32 *)malloc(tablen);	624	starttab = (Py_Int32 *)malloc(tablen);
600	lengthtab = (Py_Int32 *)malloc(tablen);	625	lengthtab = (Py_Int32 *)malloc(tablen);
601	rlebuflen = (int) (1.05 * xsize + 10);
602	rlebuf = (unsigned char *)malloc(rlebuflen);	626	rlebuf = (unsigned char *)malloc(rlebuflen);
603	lumbuf = (unsigned char )malloc(xsize sizeof(Py_Int32));	627	lumbuf = (unsigned char )malloc(xsize sizeof(Py_Int32));
604	if (!starttab \|\| !lengthtab \|\| !rlebuf \|\| !lumbuf) {	628	if (!starttab \|\| !lengthtab \|\| !rlebuf \|\| !lumbuf) {

Lines 1111-1116 format_utcoffset(char *buf, size_t bufle Link Here

(-)Python-2.4.4/Modules/datetimemodule.c (+7 lines)
1111	char sign;	1111	char sign;
1112	int none;	1112	int none;
1113		1113
		1114	assert(buflen >= 1);
		1115
1114	offset = call_utcoffset(tzinfo, tzinfoarg, &none);	1116	offset = call_utcoffset(tzinfo, tzinfoarg, &none);
1115	if (offset == -1 && PyErr_Occurred())	1117	if (offset == -1 && PyErr_Occurred())
1116	return -1;	1118	return -1;
Lines 1188-1193 wrap_strftime(PyObject *object, PyObject Link Here
1188	* a new format. Since computing the replacements for those codes	1190	* a new format. Since computing the replacements for those codes
1189	* is expensive, don't unless they're actually used.	1191	* is expensive, don't unless they're actually used.
1190	*/	1192	*/
		1193	if (PyString_Size(format) > INT_MAX - 1) {
		1194	PyErr_NoMemory();
		1195	goto Done;
		1196	}
		1197
1191	totalnew = PyString_Size(format) + 1; /* realistic if no %z/%Z */	1198	totalnew = PyString_Size(format) + 1; /* realistic if no %z/%Z */
1192	newfmt = PyString_FromStringAndSize(NULL, totalnew);	1199	newfmt = PyString_FromStringAndSize(NULL, totalnew);
1193	if (newfmt == NULL) goto Done;	1200	if (newfmt == NULL) goto Done;

Lines 100-111 get_errorcallback(const char *errors) Link Here

(-)Python-2.4.4/Modules/cjkcodecs/multibytecodec.c (-3 / +17 lines)
100	static int	100	static int
101	expand_encodebuffer(MultibyteEncodeBuffer *buf, int esize)	101	expand_encodebuffer(MultibyteEncodeBuffer *buf, int esize)
102	{	102	{
103	int orgpos, orgsize;	103	int orgpos, orgsize, incsize;
104		104
105	orgpos = (int)((char*)buf->outbuf - PyString_AS_STRING(buf->outobj));	105	orgpos = (int)((char*)buf->outbuf - PyString_AS_STRING(buf->outobj));
106	orgsize = PyString_GET_SIZE(buf->outobj);	106	orgsize = PyString_GET_SIZE(buf->outobj);
107	if (_PyString_Resize(&buf->outobj, orgsize + (	107	incsize = (esize < (orgsize >> 1) ? (orgsize >> 1) \| 1 : esize);
108	esize < (orgsize >> 1) ? (orgsize >> 1) \| 1 : esize)) == -1)	108
		109	if (orgsize > INT_MAX - incsize)
		110	return -1;
		111
		112	if (_PyString_Resize(&buf->outobj, orgsize + incsize) == -1)
109	return -1;	113	return -1;
110		114
111	buf->outbuf = (unsigned char *)PyString_AS_STRING(buf->outobj) +orgpos;	115	buf->outbuf = (unsigned char *)PyString_AS_STRING(buf->outobj) +orgpos;
Lines 416-421 multibytecodec_encode(MultibyteCodec *co Link Here
416	buf.excobj = NULL;	420	buf.excobj = NULL;
417	buf.inbuf = buf.inbuf_top = *data;	421	buf.inbuf = buf.inbuf_top = *data;
418	buf.inbuf_end = buf.inbuf_top + datalen;	422	buf.inbuf_end = buf.inbuf_top + datalen;
		423
		424	if (datalen > (INT_MAX - 16) / 2) {
		425	PyErr_NoMemory();
		426	goto errorexit;
		427	}
		428
419	buf.outobj = PyString_FromStringAndSize(NULL, datalen * 2 + 16);	429	buf.outobj = PyString_FromStringAndSize(NULL, datalen * 2 + 16);
420	if (buf.outobj == NULL)	430	if (buf.outobj == NULL)
421	goto errorexit;	431	goto errorexit;
Lines 725-730 mbstreamreader_iread(MultibyteStreamRead Link Here
725	PyObject *ctr;	735	PyObject *ctr;
726	char *ctrdata;	736	char *ctrdata;
727		737
		738	if (PyString_GET_SIZE(cres) > INT_MAX - self->pendingsize) {
		739	PyErr_NoMemory();
		740	goto errorexit;
		741	}
728	rsize = PyString_GET_SIZE(cres) + self->pendingsize;	742	rsize = PyString_GET_SIZE(cres) + self->pendingsize;
729	ctr = PyString_FromStringAndSize(NULL, rsize);	743	ctr = PyString_FromStringAndSize(NULL, rsize);
730	if (ctr == NULL)	744	if (ctr == NULL)

Lines 651-656 array_concat(arrayobject a, PyObject b Link Here

(-)Python-2.4.4/Modules/arraymodule.c (-1 / +33 lines)
651	PyErr_BadArgument();	651	PyErr_BadArgument();
652	return NULL;	652	return NULL;
653	}	653	}
		654	if (a->ob_size > INT_MAX - b->ob_size) {
		655	return PyErr_NoMemory();
		656	}
654	size = a->ob_size + b->ob_size;	657	size = a->ob_size + b->ob_size;
655	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);	658	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);
656	if (np == NULL) {	659	if (np == NULL) {
Lines 673-678 array_repeat(arrayobject *a, int n) Link Here
673	int nbytes;	676	int nbytes;
674	if (n < 0)	677	if (n < 0)
675	n = 0;	678	n = 0;
		679	if ((a->ob_size != 0) && (n > INT_MAX / a->ob_size)) {
		680	return PyErr_NoMemory();
		681	}
676	size = a->ob_size * n;	682	size = a->ob_size * n;
677	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);	683	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);
678	if (np == NULL)	684	if (np == NULL)
Lines 817-822 array_do_extend(arrayobject *self, PyObj Link Here
817	"can only extend with array of same kind");	823	"can only extend with array of same kind");
818	return -1;	824	return -1;
819	}	825	}
		826	if ((self->ob_size > INT_MAX - b->ob_size) \|\|
		827	((self->ob_size + b->ob_size) > INT_MAX / self->ob_descr->itemsize)) {
		828	PyErr_NoMemory();
		829	return -1;
		830	}
820	size = self->ob_size + b->ob_size;	831	size = self->ob_size + b->ob_size;
821	PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);	832	PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);
822	if (self->ob_item == NULL) {	833	if (self->ob_item == NULL) {
Lines 858-863 array_inplace_repeat(arrayobject *self, Link Here
858	if (n < 0)	869	if (n < 0)
859	n = 0;	870	n = 0;
860	items = self->ob_item;	871	items = self->ob_item;
		872	if ((self->ob_descr->itemsize != 0) &&
		873	(self->ob_size > INT_MAX / self->ob_descr->itemsize)) {
		874	return PyErr_NoMemory();
		875	}
861	size = self->ob_size * self->ob_descr->itemsize;	876	size = self->ob_size * self->ob_descr->itemsize;
862	if (n == 0) {	877	if (n == 0) {
863	PyMem_FREE(items);	878	PyMem_FREE(items);
Lines 866-871 array_inplace_repeat(arrayobject *self, Link Here
866	self->allocated = 0;	881	self->allocated = 0;
867	}	882	}
868	else {	883	else {
		884	if (size > INT_MAX / n) {
		885	return PyErr_NoMemory();
		886	}
869	PyMem_Resize(items, char, n * size);	887	PyMem_Resize(items, char, n * size);
870	if (items == NULL)	888	if (items == NULL)
871	return PyErr_NoMemory();	889	return PyErr_NoMemory();
Lines 1278-1283 array_fromlist(arrayobject *self, PyObje Link Here
1278	if ((*self->ob_descr->setitem)(self,	1296	if ((*self->ob_descr->setitem)(self,
1279	self->ob_size - n + i, v) != 0) {	1297	self->ob_size - n + i, v) != 0) {
1280	self->ob_size -= n;	1298	self->ob_size -= n;
		1299	if (itemsize && (self->ob_size > INT_MAX / itemsize)) {
		1300	return PyErr_NoMemory();
		1301	}
1281	PyMem_RESIZE(item, char,	1302	PyMem_RESIZE(item, char,
1282	self->ob_size * itemsize);	1303	self->ob_size * itemsize);
1283	self->ob_item = item;	1304	self->ob_item = item;
Lines 1337-1342 array_fromstring(arrayobject *self, PyOb Link Here
1337	n = n / itemsize;	1358	n = n / itemsize;
1338	if (n > 0) {	1359	if (n > 0) {
1339	char *item = self->ob_item;	1360	char *item = self->ob_item;
		1361	if ((n > INT_MAX - self->ob_size) \|\|
		1362	((self->ob_size + n) > INT_MAX / itemsize)) {
		1363	return PyErr_NoMemory();
		1364	}
1340	PyMem_RESIZE(item, char, (self->ob_size + n) * itemsize);	1365	PyMem_RESIZE(item, char, (self->ob_size + n) * itemsize);
1341	if (item == NULL) {	1366	if (item == NULL) {
1342	PyErr_NoMemory();	1367	PyErr_NoMemory();
Lines 1362-1369 values,as if it had been read from a fil Link Here
1362	static PyObject *	1387	static PyObject *
1363	array_tostring(arrayobject self, PyObject unused)	1388	array_tostring(arrayobject self, PyObject unused)
1364	{	1389	{
1365	return PyString_FromStringAndSize(self->ob_item,	1390	if (self->ob_size <= INT_MAX / self->ob_descr->itemsize) {
		1391	return PyString_FromStringAndSize(self->ob_item,
1366	self->ob_size * self->ob_descr->itemsize);	1392	self->ob_size * self->ob_descr->itemsize);
		1393	} else {
		1394	return PyErr_NoMemory();
		1395	}
1367	}	1396	}
1368		1397
1369	PyDoc_STRVAR(tostring_doc,	1398	PyDoc_STRVAR(tostring_doc,
Lines 1391-1396 array_fromunicode(arrayobject *self, PyO Link Here
1391	}	1420	}
1392	if (n > 0) {	1421	if (n > 0) {
1393	Py_UNICODE item = (Py_UNICODE ) self->ob_item;	1422	Py_UNICODE item = (Py_UNICODE ) self->ob_item;
		1423	if (self->ob_size > INT_MAX - n) {
		1424	return PyErr_NoMemory();
		1425	}
1394	PyMem_RESIZE(item, Py_UNICODE, self->ob_size + n);	1426	PyMem_RESIZE(item, Py_UNICODE, self->ob_size + n);
1395	if (item == NULL) {	1427	if (item == NULL) {
1396	PyErr_NoMemory();	1428	PyErr_NoMemory();

Lines 121-126 PyDoc_STRVAR(IO_getval__doc__, Link Here

(-)Python-2.4.4/Modules/cStringIO.c (+11 lines)
121	static PyObject *	121	static PyObject *
122	IO_cgetval(PyObject *self) {	122	IO_cgetval(PyObject *self) {
123	UNLESS (IO__opencheck(IOOOBJECT(self))) return NULL;	123	UNLESS (IO__opencheck(IOOOBJECT(self))) return NULL;
		124	assert(IOOOBJECT(self)->pos >= 0);
124	return PyString_FromStringAndSize(((IOobject*)self)->buf,	125	return PyString_FromStringAndSize(((IOobject*)self)->buf,
125	((IOobject*)self)->pos);	126	((IOobject*)self)->pos);
126	}	127	}
Lines 139-144 IO_getval(IOobject self, PyObject args Link Here
139	}	140	}
140	else	141	else
141	s=self->string_size;	142	s=self->string_size;
		143	assert(self->pos >= 0);
142	return PyString_FromStringAndSize(self->buf, s);	144	return PyString_FromStringAndSize(self->buf, s);
143	}	145	}
144		146
Lines 158-163 IO_cread(PyObject self, char *output, Link Here
158	int l;	160	int l;
159		161
160	UNLESS (IO__opencheck(IOOOBJECT(self))) return -1;	162	UNLESS (IO__opencheck(IOOOBJECT(self))) return -1;
		163	assert(IOOOBJECT(self)->pos >= 0);
		164	assert(IOOOBJECT(self)->string_size >= 0);
161	l = ((IOobject)self)->string_size - ((IOobject)self)->pos;	165	l = ((IOobject)self)->string_size - ((IOobject)self)->pos;
162	if (n < 0 \|\| n > l) {	166	if (n < 0 \|\| n > l) {
163	n = l;	167	n = l;
Lines 197-202 IO_creadline(PyObject self, char *outp Link Here
197		201
198	output=((IOobject)self)->buf + ((IOobject*)self)->pos;	202	output=((IOobject)self)->buf + ((IOobject*)self)->pos;
199	l = n - ((IOobject)self)->buf - ((IOobject)self)->pos;	203	l = n - ((IOobject)self)->buf - ((IOobject)self)->pos;
		204
		205	assert(IOOOBJECT(self)->pos <= INT_MAX - l);
		206	assert(IOOOBJECT(self)->pos >= 0);
		207	assert(IOOOBJECT(self)->string_size >= 0);
		208
200	((IOobject*)self)->pos += l;	209	((IOobject*)self)->pos += l;
201	return l;	210	return l;
202	}	211	}
Lines 215-220 IO_readline(IOobject self, PyObject ar Link Here
215	n -= m;	224	n -= m;
216	self->pos -= m;	225	self->pos -= m;
217	}	226	}
		227	assert(IOOOBJECT(self)->pos >= 0);
218	return PyString_FromStringAndSize(output, n);	228	return PyString_FromStringAndSize(output, n);
219	}	229	}
220		230
Lines 277-282 IO_tell(IOobject self, PyObject unused Link Here
277		287
278	UNLESS (IO__opencheck(self)) return NULL;	288	UNLESS (IO__opencheck(self)) return NULL;
279		289
		290	assert(self->pos >= 0);
280	return PyInt_FromLong(self->pos);	291	return PyInt_FromLong(self->pos);
281	}	292	}
282		293




	char* e;
	char* p;
	char* q;
	int i, j, old_j;
	PyObject* out;
	char* string;
	int stringlen;

	}

	/* First pass: determine size of output string */
	i = j = old_j = 0; /* j: current column; i: total of previous lines */
	e = string + stringlen;
	for (p = string; p < e; p++) {
		if (*p == '\t') {
			j += tabsize - (j%tabsize);
			if (old_j > j) {
				PyErr_SetString(PyExc_OverflowError,
						"new string is too long");
				return NULL;
			}
			old_j = j;
		} else {
			j++;
			if (*p == '\n') {
				i += j;

		}
	}

	if ((i + j) < 0) {
		PyErr_SetString(PyExc_OverflowError, "new string is too long");
		return NULL;
	}

	/* Second pass: create output string and fill it */
	out = PyString_FromStringAndSize(NULL, i+j);
	if (out == NULL)

Lines 194-199 binascii_a2b_uu(PyObject *self, PyObject Link Here

(-)Python-2.4.4/Modules/binascii.c (-2 / +38 lines)
194	if ( !PyArg_ParseTuple(args, "t#:a2b_uu", &ascii_data, &ascii_len) )	194	if ( !PyArg_ParseTuple(args, "t#:a2b_uu", &ascii_data, &ascii_len) )
195	return NULL;	195	return NULL;
196		196
		197	assert(ascii_len >= 0);
		198
197	/* First byte: binary data length (in bytes) */	199	/* First byte: binary data length (in bytes) */
198	bin_len = (*ascii_data++ - ' ') & 077;	200	bin_len = (*ascii_data++ - ' ') & 077;
199	ascii_len--;	201	ascii_len--;
Lines 347-352 binascii_a2b_base64(PyObject *self, PyOb Link Here
347	if ( !PyArg_ParseTuple(args, "t#:a2b_base64", &ascii_data, &ascii_len) )	349	if ( !PyArg_ParseTuple(args, "t#:a2b_base64", &ascii_data, &ascii_len) )
348	return NULL;	350	return NULL;
349		351
		352	assert(ascii_len >= 0);
		353
		354	if (ascii_len > INT_MAX - 3)
		355	return PyErr_NoMemory();
		356
350	bin_len = ((ascii_len+3)/4)3; / Upper bound, corrected later */	357	bin_len = ((ascii_len+3)/4)3; / Upper bound, corrected later */
351		358
352	/* Allocate the buffer */	359	/* Allocate the buffer */
Lines 436-441 binascii_b2a_base64(PyObject *self, PyOb Link Here
436		443
437	if ( !PyArg_ParseTuple(args, "s#:b2a_base64", &bin_data, &bin_len) )	444	if ( !PyArg_ParseTuple(args, "s#:b2a_base64", &bin_data, &bin_len) )
438	return NULL;	445	return NULL;
		446
		447	assert(bin_len >= 0);
		448
439	if ( bin_len > BASE64_MAXBIN ) {	449	if ( bin_len > BASE64_MAXBIN ) {
440	PyErr_SetString(Error, "Too much data for base64 line");	450	PyErr_SetString(Error, "Too much data for base64 line");
441	return NULL;	451	return NULL;
Lines 491-496 binascii_a2b_hqx(PyObject *self, PyObjec Link Here
491	if ( !PyArg_ParseTuple(args, "t#:a2b_hqx", &ascii_data, &len) )	501	if ( !PyArg_ParseTuple(args, "t#:a2b_hqx", &ascii_data, &len) )
492	return NULL;	502	return NULL;
493		503
		504	assert(len >= 0);
		505
		506	if (len > INT_MAX - 2)
		507	return PyErr_NoMemory();
		508
494	/* Allocate a string that is too big (fixed later)	509	/* Allocate a string that is too big (fixed later)
495	Add two to the initial length to prevent interning which	510	Add two to the initial length to prevent interning which
496	would preclude subsequent resizing. */	511	would preclude subsequent resizing. */
Lines 554-559 binascii_rlecode_hqx(PyObject *self, PyO Link Here
554	if ( !PyArg_ParseTuple(args, "s#:rlecode_hqx", &in_data, &len) )	569	if ( !PyArg_ParseTuple(args, "s#:rlecode_hqx", &in_data, &len) )
555	return NULL;	570	return NULL;
556		571
		572	assert(len >= 0);
		573
		574	if (len > INT_MAX / 2 - 2)
		575	return PyErr_NoMemory();
		576
557	/* Worst case: output is twice as big as input (fixed later) */	577	/* Worst case: output is twice as big as input (fixed later) */
558	if ( (rv=PyString_FromStringAndSize(NULL, len*2+2)) == NULL )	578	if ( (rv=PyString_FromStringAndSize(NULL, len*2+2)) == NULL )
559	return NULL;	579	return NULL;
Lines 603-608 binascii_b2a_hqx(PyObject *self, PyObjec Link Here
603	if ( !PyArg_ParseTuple(args, "s#:b2a_hqx", &bin_data, &len) )	623	if ( !PyArg_ParseTuple(args, "s#:b2a_hqx", &bin_data, &len) )
604	return NULL;	624	return NULL;
605		625
		626	assert(len >= 0);
		627
		628	if (len > INT_MAX / 2 - 2)
		629	return PyErr_NoMemory();
		630
606	/* Allocate a buffer that is at least large enough */	631	/* Allocate a buffer that is at least large enough */
607	if ( (rv=PyString_FromStringAndSize(NULL, len*2+2)) == NULL )	632	if ( (rv=PyString_FromStringAndSize(NULL, len*2+2)) == NULL )
608	return NULL;	633	return NULL;
Lines 641-649 binascii_rledecode_hqx(PyObject *self, P Link Here
641	if ( !PyArg_ParseTuple(args, "s#:rledecode_hqx", &in_data, &in_len) )	666	if ( !PyArg_ParseTuple(args, "s#:rledecode_hqx", &in_data, &in_len) )
642	return NULL;	667	return NULL;
643		668
		669	assert(in_len >= 0);
		670
644	/* Empty string is a special case */	671	/* Empty string is a special case */
645	if ( in_len == 0 )	672	if ( in_len == 0 )
646	return Py_BuildValue("s", "");	673	return Py_BuildValue("s", "");
		674	else if (in_len > INT_MAX / 2)
		675	return PyErr_NoMemory();
647		676
648	/* Allocate a buffer of reasonable size. Resized when needed */	677	/* Allocate a buffer of reasonable size. Resized when needed */
649	out_len = in_len*2;	678	out_len = in_len*2;
Lines 669-674 binascii_rledecode_hqx(PyObject *self, P Link Here
669	#define OUTBYTE(b) \	698	#define OUTBYTE(b) \
670	do { \	699	do { \
671	if ( --out_len_left < 0 ) { \	700	if ( --out_len_left < 0 ) { \
		701	if ( out_len > INT_MAX / 2) return PyErr_NoMemory(); \
672	_PyString_Resize(&rv, 2*out_len); \	702	_PyString_Resize(&rv, 2*out_len); \
673	if ( rv == NULL ) return NULL; \	703	if ( rv == NULL ) return NULL; \
674	out_data = (unsigned char *)PyString_AsString(rv) \	704	out_data = (unsigned char *)PyString_AsString(rv) \
Lines 737-743 binascii_crc_hqx(PyObject *self, PyObjec Link Here
737	if ( !PyArg_ParseTuple(args, "s#i:crc_hqx", &bin_data, &len, &crc) )	767	if ( !PyArg_ParseTuple(args, "s#i:crc_hqx", &bin_data, &len, &crc) )
738	return NULL;	768	return NULL;
739		769
740	while(len--) {	770	while(len-- > 0) {
741	crc=((crc<<8)&0xff00)^crctab_hqx[((crc>>8)&0xff)^*bin_data++];	771	crc=((crc<<8)&0xff00)^crctab_hqx[((crc>>8)&0xff)^*bin_data++];
742	}	772	}
743		773
Lines 881-887 binascii_crc32(PyObject *self, PyObject Link Here
881	/* only want the trailing 32 bits */	911	/* only want the trailing 32 bits */
882	crc &= 0xFFFFFFFFUL;	912	crc &= 0xFFFFFFFFUL;
883	#endif	913	#endif
884	while (len--)	914	while (len-- > 0)
885	crc = crc_32_tab[(crc ^ *bin_data++) & 0xffUL] ^ (crc >> 8);	915	crc = crc_32_tab[(crc ^ *bin_data++) & 0xffUL] ^ (crc >> 8);
886	/* Note: (crc >> 8) MUST zero fill on left */	916	/* Note: (crc >> 8) MUST zero fill on left */
887		917
Lines 911-916 binascii_hexlify(PyObject *self, PyObjec Link Here
911	if (!PyArg_ParseTuple(args, "s#:b2a_hex", &argbuf, &arglen))	941	if (!PyArg_ParseTuple(args, "s#:b2a_hex", &argbuf, &arglen))
912	return NULL;	942	return NULL;
913		943
		944	assert(arglen >= 0);
		945	if (arglen > INT_MAX / 2)
		946	return PyErr_NoMemory();
		947
914	retval = PyString_FromStringAndSize(NULL, arglen*2);	948	retval = PyString_FromStringAndSize(NULL, arglen*2);
915	if (!retval)	949	if (!retval)
916	return NULL;	950	return NULL;
Lines 968-973 binascii_unhexlify(PyObject *self, PyObj Link Here
968	if (!PyArg_ParseTuple(args, "s#:a2b_hex", &argbuf, &arglen))	1002	if (!PyArg_ParseTuple(args, "s#:a2b_hex", &argbuf, &arglen))
969	return NULL;	1003	return NULL;
970		1004
		1005	assert(arglen >= 0);
		1006
971	/* XXX What should we do about strings with an odd length? Should	1007	/* XXX What should we do about strings with an odd length? Should
972	* we add an implicit leading zero, or a trailing zero? For now,	1008	* we add an implicit leading zero, or a trailing zero? For now,
973	* raise an exception.	1009	* raise an exception.

Lines 674-680 static PyObject * Link Here

(-)Python-2.4.4/Modules/audioop.c (-12 / +44 lines)
674	audioop_tostereo(PyObject self, PyObject args)	674	audioop_tostereo(PyObject self, PyObject args)
675	{	675	{
676	signed char cp, ncp;	676	signed char cp, ncp;
677	int len, size, val1, val2, val = 0;	677	int len, new_len, size, val1, val2, val = 0;
678	double fac1, fac2, fval, maxval;	678	double fac1, fac2, fval, maxval;
679	PyObject *rv;	679	PyObject *rv;
680	int i;	680	int i;
Lines 690-696 audioop_tostereo(PyObject *self, PyObjec Link Here
690	return 0;	690	return 0;
691	}	691	}
692		692
693	rv = PyString_FromStringAndSize(NULL, len*2);	693	new_len = len*2;
		694	if (new_len < 0) {
		695	PyErr_SetString(PyExc_MemoryError,
		696	"not enough memory for output buffer");
		697	return 0;
		698	}
		699
		700	rv = PyString_FromStringAndSize(NULL, new_len);
694	if ( rv == 0 )	701	if ( rv == 0 )
695	return 0;	702	return 0;
696	ncp = (signed char *)PyString_AsString(rv);	703	ncp = (signed char *)PyString_AsString(rv);
Lines 853-859 audioop_lin2lin(PyObject *self, PyObject Link Here
853	{	860	{
854	signed char *cp;	861	signed char *cp;
855	unsigned char *ncp;	862	unsigned char *ncp;
856	int len, size, size2, val = 0;	863	int len, new_len, size, size2, val = 0;
857	PyObject *rv;	864	PyObject *rv;
858	int i, j;	865	int i, j;
859		866
Lines 867-873 audioop_lin2lin(PyObject *self, PyObject Link Here
867	return 0;	874	return 0;
868	}	875	}
869		876
870	rv = PyString_FromStringAndSize(NULL, (len/size)*size2);	877	new_len = (len/size)*size2;
		878	if (new_len < 0) {
		879	PyErr_SetString(PyExc_MemoryError,
		880	"not enough memory for output buffer");
		881	return 0;
		882	}
		883	rv = PyString_FromStringAndSize(NULL, new_len);
871	if ( rv == 0 )	884	if ( rv == 0 )
872	return 0;	885	return 0;
873	ncp = (unsigned char *)PyString_AsString(rv);	886	ncp = (unsigned char *)PyString_AsString(rv);
Lines 903-908 audioop_ratecv(PyObject *self, PyObject Link Here
903	int chan, d, prev_i, cur_i, cur_o;	916	int chan, d, prev_i, cur_i, cur_o;
904	PyObject state, samps, str, rv = NULL;	917	PyObject state, samps, str, rv = NULL;
905	int bytes_per_frame;	918	int bytes_per_frame;
		919	size_t alloc_size;
906		920
907	weightA = 1;	921	weightA = 1;
908	weightB = 0;	922	weightB = 0;
Lines 944-951 audioop_ratecv(PyObject *self, PyObject Link Here
944	inrate /= d;	958	inrate /= d;
945	outrate /= d;	959	outrate /= d;
946		960
947	prev_i = (int ) malloc(nchannels sizeof(int));	961	alloc_size = sizeof(int) * (unsigned)nchannels;
948	cur_i = (int ) malloc(nchannels sizeof(int));	962	if (alloc_size < nchannels) {
		963	PyErr_SetString(PyExc_MemoryError,
		964	"not enough memory for output buffer");
		965	return 0;
		966	}
		967	prev_i = (int *) malloc(alloc_size);
		968	cur_i = (int *) malloc(alloc_size);
949	if (prev_i == NULL \|\| cur_i == NULL) {	969	if (prev_i == NULL \|\| cur_i == NULL) {
950	(void) PyErr_NoMemory();	970	(void) PyErr_NoMemory();
951	goto exit;	971	goto exit;
Lines 1116-1122 audioop_ulaw2lin(PyObject *self, PyObjec Link Here
1116	unsigned char *cp;	1136	unsigned char *cp;
1117	unsigned char cval;	1137	unsigned char cval;
1118	signed char *ncp;	1138	signed char *ncp;
1119	int len, size, val;	1139	int len, new_len, size, val;
1120	PyObject *rv;	1140	PyObject *rv;
1121	int i;	1141	int i;
1122		1142
Lines 1129-1140 audioop_ulaw2lin(PyObject *self, PyObjec Link Here
1129	return 0;	1149	return 0;
1130	}	1150	}
1131		1151
1132	rv = PyString_FromStringAndSize(NULL, len*size);	1152	new_len = len*size;
		1153	if (new_len < 0) {
		1154	PyErr_SetString(PyExc_MemoryError,
		1155	"not enough memory for output buffer");
		1156	return 0;
		1157	}
		1158	rv = PyString_FromStringAndSize(NULL, new_len);
1133	if ( rv == 0 )	1159	if ( rv == 0 )
1134	return 0;	1160	return 0;
1135	ncp = (signed char *)PyString_AsString(rv);	1161	ncp = (signed char *)PyString_AsString(rv);
1136		1162
1137	for ( i=0; i < len*size; i += size ) {	1163	for ( i=0; i < new_len; i += size ) {
1138	cval = *cp++;	1164	cval = *cp++;
1139	val = st_ulaw_to_linear(cval);	1165	val = st_ulaw_to_linear(cval);
1140		1166
Lines 1259-1265 audioop_adpcm2lin(PyObject *self, PyObje Link Here
1259	{	1285	{
1260	signed char *cp;	1286	signed char *cp;
1261	signed char *ncp;	1287	signed char *ncp;
1262	int len, size, valpred, step, delta, index, sign, vpdiff;	1288	int len, new_len, size, valpred, step, delta, index, sign, vpdiff;
1263	PyObject rv, str, *state;	1289	PyObject rv, str, *state;
1264	int i, inputbuffer = 0, bufferstep;	1290	int i, inputbuffer = 0, bufferstep;
1265		1291
Lines 1281-1287 audioop_adpcm2lin(PyObject *self, PyObje Link Here
1281	} else if ( !PyArg_Parse(state, "(ii)", &valpred, &index) )	1307	} else if ( !PyArg_Parse(state, "(ii)", &valpred, &index) )
1282	return 0;	1308	return 0;
1283		1309
1284	str = PyString_FromStringAndSize(NULL, lensize2);	1310	new_len = lensize2;
		1311	if (new_len < 0) {
		1312	PyErr_SetString(PyExc_MemoryError,
		1313	"not enough memory for output buffer");
		1314	return 0;
		1315	}
		1316	str = PyString_FromStringAndSize(NULL, new_len);
1285	if ( str == 0 )	1317	if ( str == 0 )
1286	return 0;	1318	return 0;
1287	ncp = (signed char *)PyString_AsString(str);	1319	ncp = (signed char *)PyString_AsString(str);
Lines 1289-1295 audioop_adpcm2lin(PyObject *self, PyObje Link Here
1289	step = stepsizeTable[index];	1321	step = stepsizeTable[index];
1290	bufferstep = 0;	1322	bufferstep = 0;
1291		1323
1292	for ( i=0; i < lensize2; i += size ) {	1324	for ( i=0; i < new_len; i += size ) {
1293	/* Step 1 - get the delta value and compute next index */	1325	/* Step 1 - get the delta value and compute next index */
1294	if ( bufferstep ) {	1326	if ( bufferstep ) {
1295	delta = inputbuffer & 0xf;	1327	delta = inputbuffer & 0xf;

Lines 3419-3424 load_binstring(Unpicklerobject *self) Link Here

(-)Python-2.4.4/Modules/cPickle.c (+16 lines)
3419	if (self->read_func(self, &s, 4) < 0) return -1;	3419	if (self->read_func(self, &s, 4) < 0) return -1;
3420		3420
3421	l = calc_binint(s, 4);	3421	l = calc_binint(s, 4);
		3422	if (l < 0) {
		3423	/* Corrupt or hostile pickle -- we never write one like
		3424	* this.
		3425	*/
		3426	PyErr_SetString(UnpicklingError,
		3427	"BINSTRING pickle has negative byte count");
		3428	return -1;
		3429	}
3422		3430
3423	if (self->read_func(self, &s, l) < 0)	3431	if (self->read_func(self, &s, l) < 0)
3424	return -1;	3432	return -1;
Lines 3486-3491 load_binunicode(Unpicklerobject *self) Link Here
3486	if (self->read_func(self, &s, 4) < 0) return -1;	3494	if (self->read_func(self, &s, 4) < 0) return -1;
3487		3495
3488	l = calc_binint(s, 4);	3496	l = calc_binint(s, 4);
		3497	if (l < 0) {
		3498	/* Corrupt or hostile pickle -- we never write one like
		3499	* this.
		3500	*/
		3501	PyErr_SetString(UnpicklingError,
		3502	"BINUNICODE pickle has negative byte count");
		3503	return -1;
		3504	}
3489		3505
3490	if (self->read_func(self, &s, l) < 0)	3506	if (self->read_func(self, &s, l) < 0)
3491	return -1;	3507	return -1;

Lines 470-475 parse_grow_buff(ReaderObj *self) Link Here

(-)Python-2.4.4/Modules/_csv.c (+10 lines)
470	self->field = PyMem_Malloc(self->field_size);	470	self->field = PyMem_Malloc(self->field_size);
471	}	471	}
472	else {	472	else {
		473	if (self->field_size > INT_MAX / 2) {
		474	PyErr_NoMemory();
		475	return 0;
		476	}
473	self->field_size *= 2;	477	self->field_size *= 2;
474	self->field = PyMem_Realloc(self->field, self->field_size);	478	self->field = PyMem_Realloc(self->field, self->field_size);
475	}	479	}
Lines 1003-1008 join_append_data(WriterObj self, char Link Here
1003	static int	1007	static int
1004	join_check_rec_size(WriterObj *self, int rec_len)	1008	join_check_rec_size(WriterObj *self, int rec_len)
1005	{	1009	{
		1010
		1011	if (rec_len < 0 \|\| rec_len > INT_MAX - MEM_INCR) {
		1012	PyErr_NoMemory();
		1013	return 0;
		1014	}
		1015
1006	if (rec_len > self->rec_size) {	1016	if (rec_len > self->rec_size) {
1007	if (self->rec_size == 0) {	1017	if (self->rec_size == 0) {
1008	self->rec_size = (rec_len / MEM_INCR + 1) * MEM_INCR;	1018	self->rec_size = (rec_len / MEM_INCR + 1) * MEM_INCR;

Return to bug 232137

Lines 2376-2386 filterstring(PyObject func, PyObject s Link Here

(-)Python-2.4.4/Python/bltinmodule.c (-4 / +56 lines)
2376	PyString_AS_STRING(item)[0];	2376	PyString_AS_STRING(item)[0];
2377	} else {	2377	} else {
2378	/* do we need more space? */	2378	/* do we need more space? */
2379	int need = j + reslen + len-i-1;	2379	int need = j;
		2380
		2381	/* calculate space requirements while checking for overflow */
		2382	if (need > INT_MAX - reslen) {
		2383	Py_DECREF(item);
		2384	goto Fail_1;
		2385	}
		2386
		2387	need += reslen;
		2388
		2389	if (need > INT_MAX - len) {
		2390	Py_DECREF(item);
		2391	goto Fail_1;
		2392	}
		2393
		2394	need += len;
		2395
		2396	if (need <= i) {
		2397	Py_DECREF(item);
		2398	goto Fail_1;
		2399	}
		2400
		2401	need = need - i - 1;
		2402
		2403	assert(need >= 0);
		2404	assert(outlen >= 0);
		2405
2380	if (need > outlen) {	2406	if (need > outlen) {
2381	/* overallocate, to avoid reallocations */	2407	/* overallocate, to avoid reallocations */
2382	if (need<2*outlen)	2408	if (outlen > INT_MAX / 2) {
		2409	Py_DECREF(item);
		2410	return NULL;
		2411	}
		2412
		2413	if (need<2*outlen) {
2383	need = 2*outlen;	2414	need = 2*outlen;
		2415	}
2384	if (_PyString_Resize(&result, need)) {	2416	if (_PyString_Resize(&result, need)) {
2385	Py_DECREF(item);	2417	Py_DECREF(item);
2386	return NULL;	2418	return NULL;
Lines 2472-2482 filterunicode(PyObject func, PyObject Link Here
2472	else {	2504	else {
2473	/* do we need more space? */	2505	/* do we need more space? */
2474	int need = j + reslen + len - i - 1;	2506	int need = j + reslen + len - i - 1;
		2507
		2508	/* check that didnt overflow */
		2509	if ((j > INT_MAX - reslen) \|\|
		2510	((j + reslen) > INT_MAX - len) \|\|
		2511	((j + reslen + len) < i) \|\|
		2512	((j + reslen + len - i) <= 0)) {
		2513	Py_DECREF(item);
		2514	return NULL;
		2515	}
		2516
		2517	assert(need >= 0);
		2518	assert(outlen >= 0);
		2519
2475	if (need > outlen) {	2520	if (need > outlen) {
2476	/* overallocate,	2521	/* overallocate,
2477	to avoid reallocations */	2522	to avoid reallocations */
2478	if (need < 2 * outlen)	2523	if (need < 2 * outlen) {
2479	need = 2 * outlen;	2524	if (outlen > INT_MAX / 2) {
		2525	Py_DECREF(item);
		2526	return NULL;
		2527	} else {
		2528	need = 2 * outlen;
		2529	}
		2530	}
		2531
2480	if (PyUnicode_Resize(	2532	if (PyUnicode_Resize(
2481	&result, need) < 0) {	2533	&result, need) < 0) {
2482	Py_DECREF(item);	2534	Py_DECREF(item);

Lines 616-621 typedef struct fd_set { Link Here

(-)Python-2.4.4/Include/pyport.h (+11 lines)
616	#error "LONG_BIT definition appears wrong for platform (bad gcc/glibc config?)."	616	#error "LONG_BIT definition appears wrong for platform (bad gcc/glibc config?)."
617	#endif	617	#endif
618		618
		619	/* Largest possible value of size_t.
		620	SIZE_MAX is part of C99, so it might be defined on some
		621	platforms. If it is not defined, (size_t)-1 is a portable
		622	definition for C89, due to the way signed->unsigned
		623	conversion is defined. */
		624	#ifdef SIZE_MAX
		625	#define PY_SIZE_MAX SIZE_MAX
		626	#else
		627	#define PY_SIZE_MAX ((size_t)-1)
		628	#endif
		629
619	#ifdef __cplusplus	630	#ifdef __cplusplus
620	}	631	}
621	#endif	632	#endif

Lines 86-99 PyAPI_FUNC(void) PyMem_Free(void *); Link Here

(-)Python-2.4.4/Include/pymem.h (-4 / +8 lines)
86	*/	86	*/
87		87
88	#define PyMem_New(type, n) \	88	#define PyMem_New(type, n) \
89	( (type ) PyMem_Malloc((n) sizeof(type)) )	89	( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
		90	( (type ) PyMem_Malloc((n) sizeof(type)) ) )
90	#define PyMem_NEW(type, n) \	91	#define PyMem_NEW(type, n) \
91	( (type ) PyMem_MALLOC((n) sizeof(type)) )	92	( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
		93	( (type ) PyMem_MALLOC((n) sizeof(type)) ) )
92		94
93	#define PyMem_Resize(p, type, n) \	95	#define PyMem_Resize(p, type, n) \
94	( (p) = (type ) PyMem_Realloc((p), (n) sizeof(type)) )	96	( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
		97	( (p) = (type ) PyMem_Realloc((p), (n) sizeof(type)) ) )
95	#define PyMem_RESIZE(p, type, n) \	98	#define PyMem_RESIZE(p, type, n) \
96	( (p) = (type ) PyMem_REALLOC((p), (n) sizeof(type)) )	99	( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
		100	( (p) = (type ) PyMem_REALLOC((p), (n) sizeof(type)) ) )
97		101
98	/* In order to avoid breaking old code mixing PyObject_{New, NEW} with	102	/* In order to avoid breaking old code mixing PyObject_{New, NEW} with
99	PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory"	103	PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory"

Lines 45-51 list_resize(PyListObject *self, int news Link Here

(-)Python-2.4.4/Objects/listobject.c (-3 / +19 lines)
45	* system realloc().	45	* system realloc().
46	* The growth pattern is: 0, 4, 8, 16, 25, 35, 46, 58, 72, 88, ...	46	* The growth pattern is: 0, 4, 8, 16, 25, 35, 46, 58, 72, 88, ...
47	*/	47	*/
48	new_allocated = (newsize >> 3) + (newsize < 9 ? 3 : 6) + newsize;	48	new_allocated = (newsize >> 3) + (newsize < 9 ? 3 : 6);
		49
		50	/* check for integer overflow */
		51	if (new_allocated > PY_SIZE_MAX - newsize) {
		52	PyErr_NoMemory();
		53	return -1;
		54	} else {
		55	new_allocated += newsize;
		56	}
		57
49	if (newsize == 0)	58	if (newsize == 0)
50	new_allocated = 0;	59	new_allocated = 0;
51	items = self->ob_item;	60	items = self->ob_item;
Lines 92-99 PyList_New(int size) Link Here
92	return NULL;	101	return NULL;
93	}	102	}
94	nbytes = size * sizeof(PyObject *);	103	nbytes = size * sizeof(PyObject *);
95	/* Check for overflow */	104	/* Check for overflow without an actual overflow,
96	if (nbytes / sizeof(PyObject *) != (size_t)size)	105	* which can cause compiler to optimise out */
		106	if (size > PY_SIZE_MAX / sizeof(PyObject *))
97	return PyErr_NoMemory();	107	return PyErr_NoMemory();
98	if (num_free_lists) {	108	if (num_free_lists) {
99	num_free_lists--;	109	num_free_lists--;
Lines 1372-1377 merge_getmem(MergeState *ms, int need) Link Here
1372	* we don't care what's in the block.	1382	* we don't care what's in the block.
1373	*/	1383	*/
1374	merge_freemem(ms);	1384	merge_freemem(ms);
		1385	if (need > INT_MAX / sizeof(PyObject*)) {
		1386	PyErr_NoMemory();
		1387	return -1;
		1388	}
1375	ms->a = (PyObject *)PyMem_Malloc(need sizeof(PyObject*));	1389	ms->a = (PyObject *)PyMem_Malloc(need sizeof(PyObject*));
1376	if (ms->a) {	1390	if (ms->a) {
1377	ms->alloced = need;	1391	ms->alloced = need;
Lines 2550-2555 list_ass_subscript(PyListObject* self, P Link Here
2550	step = -step;	2564	step = -step;
2551	}	2565	}
2552		2566
		2567	assert(slicelength <= PY_SIZE_MAX / sizeof(PyObject*));
		2568
2553	garbage = (PyObject**)	2569	garbage = (PyObject**)
2554	PyMem_MALLOC(slicelengthsizeof(PyObject));	2570	PyMem_MALLOC(slicelengthsizeof(PyObject));
2555	if (!garbage) {	2571	if (!garbage) {

Lines 576-582 strop_expandtabs(PyObject *self, PyObjec Link Here

(-)Python-2.4.4/Modules/stropmodule.c (-4 / +15 lines)
576	char* e;	576	char* e;
577	char* p;	577	char* p;
578	char* q;	578	char* q;
579	int i, j;	579	int i, j, old_j;
580	PyObject* out;	580	PyObject* out;
581	char* string;	581	char* string;
582	int stringlen;	582	int stringlen;
Lines 593-604 strop_expandtabs(PyObject *self, PyObjec Link Here
593	}	593	}
594		594
595	/* First pass: determine size of output string */	595	/* First pass: determine size of output string */
596	i = j = 0; /* j: current column; i: total of previous lines */	596	i = j = old_j = 0; /* j: current column; i: total of previous lines */
597	e = string + stringlen;	597	e = string + stringlen;
598	for (p = string; p < e; p++) {	598	for (p = string; p < e; p++) {
599	if (*p == '\t')	599	if (*p == '\t') {
600	j += tabsize - (j%tabsize);	600	j += tabsize - (j%tabsize);
601	else {	601	if (old_j > j) {
		602	PyErr_SetString(PyExc_OverflowError,
		603	"new string is too long");
		604	return NULL;
		605	}
		606	old_j = j;
		607	} else {
602	j++;	608	j++;
603	if (*p == '\n') {	609	if (*p == '\n') {
604	i += j;	610	i += j;
Lines 607-612 strop_expandtabs(PyObject *self, PyObjec Link Here
607	}	613	}
608	}	614	}
609		615
		616	if ((i + j) < 0) {
		617	PyErr_SetString(PyExc_OverflowError, "new string is too long");
		618	return NULL;
		619	}
		620
610	/* Second pass: create output string and fill it */	621	/* Second pass: create output string and fill it */
611	out = PyString_FromStringAndSize(NULL, i+j);	622	out = PyString_FromStringAndSize(NULL, i+j);
612	if (out == NULL)	623	if (out == NULL)