Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
View | Details | Raw Unified | Return to bug 230640 | Differences between
and this patch

Collapse All | Expand All

(-)Python-2.4.4/Objects/unicodeobject.c (-10 / +39 lines)
Lines 186-191 PyUnicodeObject *_PyUnicode_New(int leng Link Here
186
        return unicode_empty;
186
        return unicode_empty;
187
    }
187
    }
188
188
189
    /* Ensure we won't overflow the size. */
190
    if (length > ((INT_MAX / sizeof(Py_UNICODE)) - 1)) {
191
        return (PyUnicodeObject *)PyErr_NoMemory();
192
    }
193
189
    /* Unicode freelist & memory allocation */
194
    /* Unicode freelist & memory allocation */
190
    if (unicode_freelist) {
195
    if (unicode_freelist) {
191
        unicode = unicode_freelist;
196
        unicode = unicode_freelist;
Lines 1040-1045 PyObject *PyUnicode_EncodeUTF7(const Py_ Link Here
1040
    char * out;
1045
    char * out;
1041
    char * start;
1046
    char * start;
1042
1047
1048
    if (cbAllocated / 5 != size)
1049
        return PyErr_NoMemory();
1050
1043
    if (size == 0)
1051
    if (size == 0)
1044
		return PyString_FromStringAndSize(NULL, 0);
1052
		return PyString_FromStringAndSize(NULL, 0);
1045
1053
Lines 1638-1643 PyUnicode_EncodeUTF16(const Py_UNICODE * Link Here
1638
{
1646
{
1639
    PyObject *v;
1647
    PyObject *v;
1640
    unsigned char *p;
1648
    unsigned char *p;
1649
    int nsize, bytesize;
1641
#ifdef Py_UNICODE_WIDE
1650
#ifdef Py_UNICODE_WIDE
1642
    int i, pairs;
1651
    int i, pairs;
1643
#else
1652
#else
Lines 1662-1669 PyUnicode_EncodeUTF16(const Py_UNICODE * Link Here
1662
	if (s[i] >= 0x10000)
1671
	if (s[i] >= 0x10000)
1663
	    pairs++;
1672
	    pairs++;
1664
#endif
1673
#endif
1665
    v = PyString_FromStringAndSize(NULL,
1674
    /* 2 * (size + pairs + (byteorder == 0)) */
1666
		  2 * (size + pairs + (byteorder == 0)));
1675
    if (size > INT_MAX ||
1676
	size > INT_MAX - pairs - (byteorder == 0))
1677
	return PyErr_NoMemory();
1678
    nsize = (size + pairs + (byteorder == 0));
1679
    bytesize = nsize * 2;
1680
    if (bytesize / 2 != nsize)
1681
	return PyErr_NoMemory();
1682
    v = PyString_FromStringAndSize(NULL, bytesize);
1667
    if (v == NULL)
1683
    if (v == NULL)
1668
        return NULL;
1684
        return NULL;
1669
1685
Lines 1977-1982 PyObject *unicodeescape_string(const Py_ Link Here
1977
    char *p;
1993
    char *p;
1978
1994
1979
    static const char *hexdigit = "0123456789abcdef";
1995
    static const char *hexdigit = "0123456789abcdef";
1996
#ifdef Py_UNICODE_WIDE
1997
    const int expandsize = 10;
1998
#else
1999
    const int expandsize = 6;
2000
#endif
1980
2001
1981
    /* Initial allocation is based on the longest-possible unichr
2002
    /* Initial allocation is based on the longest-possible unichr
1982
       escape.
2003
       escape.
Lines 1992-2004 PyObject *unicodeescape_string(const Py_ Link Here
1992
       escape.
2013
       escape.
1993
    */
2014
    */
1994
2015
2016
    if (size > (INT_MAX - 2 - 1) / expandsize)
2017
	return PyErr_NoMemory();
2018
1995
    repr = PyString_FromStringAndSize(NULL,
2019
    repr = PyString_FromStringAndSize(NULL,
1996
        2
2020
        2
1997
#ifdef Py_UNICODE_WIDE
2021
        + expandsize*size
1998
        + 10*size
1999
#else
2000
        + 6*size
2001
#endif
2002
        + 1);
2022
        + 1);
2003
    if (repr == NULL)
2023
    if (repr == NULL)
2004
        return NULL;
2024
        return NULL;
Lines 2239-2250 PyObject *PyUnicode_EncodeRawUnicodeEsca Link Here
2239
    char *q;
2259
    char *q;
2240
2260
2241
    static const char *hexdigit = "0123456789abcdef";
2261
    static const char *hexdigit = "0123456789abcdef";
2242
2243
#ifdef Py_UNICODE_WIDE
2262
#ifdef Py_UNICODE_WIDE
2244
    repr = PyString_FromStringAndSize(NULL, 10 * size);
2263
    const int expandsize = 10;
2245
#else
2264
#else
2246
    repr = PyString_FromStringAndSize(NULL, 6 * size);
2265
    const int expandsize = 6;
2247
#endif
2266
#endif
2267
2268
    if (size > INT_MAX / expandsize)
2269
	return PyErr_NoMemory();
2270
2271
    repr = PyString_FromStringAndSize(NULL, expandsize * size);
2248
    if (repr == NULL)
2272
    if (repr == NULL)
2249
        return NULL;
2273
        return NULL;
2250
    if (size == 0)
2274
    if (size == 0)
Lines 4289-4294 PyUnicodeObject *pad(PyUnicodeObject *se Link Here
4289
        return self;
4313
        return self;
4290
    }
4314
    }
4291
4315
4316
    if (left > INT_MAX - self->length ||
4317
	right > INT_MAX - (left + self->length)) {
4318
        PyErr_SetString(PyExc_OverflowError, "padded string is too long");
4319
        return NULL;
4320
    }
4292
    u = _PyUnicode_New(left + self->length + right);
4321
    u = _PyUnicode_New(left + self->length + right);
4293
    if (u) {
4322
    if (u) {
4294
        if (left)
4323
        if (left)
(-)Python-2.4.4/Objects/tupleobject.c (-2 / +3 lines)
Lines 60-70 PyTuple_New(register int size) Link Here
60
		int nbytes = size * sizeof(PyObject *);
60
		int nbytes = size * sizeof(PyObject *);
61
		/* Check for overflow */
61
		/* Check for overflow */
62
		if (nbytes / sizeof(PyObject *) != (size_t)size ||
62
		if (nbytes / sizeof(PyObject *) != (size_t)size ||
63
		    (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
63
		    (nbytes > INT_MAX - sizeof(PyTupleObject) - sizeof(PyObject *)))
64
		    <= 0)
65
		{
64
		{
66
			return PyErr_NoMemory();
65
			return PyErr_NoMemory();
67
		}
66
		}
67
		nbytes += sizeof(PyTupleObject) - sizeof(PyObject *);
68
68
		op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
69
		op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
69
		if (op == NULL)
70
		if (op == NULL)
70
			return NULL;
71
			return NULL;
(-)Python-2.4.4/Objects/bufferobject.c (+4 lines)
Lines 384-389 buffer_repeat(PyBufferObject *self, int Link Here
384
		count = 0;
384
		count = 0;
385
	if (!get_buf(self, &ptr, &size))
385
	if (!get_buf(self, &ptr, &size))
386
		return NULL;
386
		return NULL;
387
	if (count > INT_MAX / size) {
388
		PyErr_SetString(PyExc_MemoryError, "result too large");
389
		return NULL;
390
	}
387
	ob = PyString_FromStringAndSize(NULL, size * count);
391
	ob = PyString_FromStringAndSize(NULL, size * count);
388
	if ( ob == NULL )
392
	if ( ob == NULL )
389
		return NULL;
393
		return NULL;
(-)Python-2.4.4/Objects/stringobject.c (-1 / +17 lines)
Lines 69-74 PyString_FromStringAndSize(const char *s Link Here
69
		return (PyObject *)op;
69
		return (PyObject *)op;
70
	}
70
	}
71
71
72
	if (size > INT_MAX - sizeof(PyStringObject)) {
73
		PyErr_SetString(PyExc_OverflowError, "string is too large");
74
		return NULL;
75
	}
76
72
	/* Inline PyObject_NewVar */
77
	/* Inline PyObject_NewVar */
73
	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
78
	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
74
	if (op == NULL)
79
	if (op == NULL)
Lines 104-110 PyString_FromString(const char *str) Link Here
104
109
105
	assert(str != NULL);
110
	assert(str != NULL);
106
	size = strlen(str);
111
	size = strlen(str);
107
	if (size > INT_MAX) {
112
	if (size > INT_MAX - sizeof(PyStringObject)) {
108
		PyErr_SetString(PyExc_OverflowError,
113
		PyErr_SetString(PyExc_OverflowError,
109
			"string is too long for a Python string");
114
			"string is too long for a Python string");
110
		return NULL;
115
		return NULL;
Lines 907-913 string_concat(register PyStringObject *a Link Here
907
		Py_INCREF(a);
912
		Py_INCREF(a);
908
		return (PyObject *)a;
913
		return (PyObject *)a;
909
	}
914
	}
915
	/* Check that string sizes are not negative, to prevent an
916
	   overflow in cases where we are passed incorrectly-created
917
	   strings with negative lengths (due to a bug in other code).
918
	*/
910
	size = a->ob_size + b->ob_size;
919
	size = a->ob_size + b->ob_size;
920
	if (a->ob_size < 0 || b->ob_size < 0 ||
921
	    a->ob_size > INT_MAX - b->ob_size) {
922
		PyErr_SetString(PyExc_OverflowError,
923
				"strings are too large to concat");
924
		return NULL;
925
	}
926
911
	/* Inline PyObject_NewVar */
927
	/* Inline PyObject_NewVar */
912
	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
928
	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
913
	if (op == NULL)
929
	if (op == NULL)
(-)Python-2.4.4/Misc/NEWS (+2 lines)
Lines 23-28 What's New in Python 2.4.4c1? Link Here
23
Core and builtins
23
Core and builtins
24
-----------------
24
-----------------
25
25
26
- Apply security patches from Apple.
27
26
- Issue #2620: Overflow checking when allocating or reallocating memory
28
- Issue #2620: Overflow checking when allocating or reallocating memory
27
  was not always being done properly in some python types and extension
29
  was not always being done properly in some python types and extension
28
  modules.  PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
30
  modules.  PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
(-)Python-2.4.4/Modules/mmapmodule.c (-1 / +1 lines)
Lines 223-229 mmap_read_method(mmap_object *self, Link Here
223
		return(NULL);
223
		return(NULL);
224
224
225
	/* silently 'adjust' out-of-range requests */
225
	/* silently 'adjust' out-of-range requests */
226
	if ((self->pos + num_bytes) > self->size) {
226
	if (num_bytes > self->size - self->pos) {
227
		num_bytes -= (self->pos+num_bytes) - self->size;
227
		num_bytes -= (self->pos+num_bytes) - self->size;
228
	}
228
	}
229
	result = Py_BuildValue("s#", self->data+self->pos, num_bytes);
229
	result = Py_BuildValue("s#", self->data+self->pos, num_bytes);
(-)Python-2.4.4/Modules/stropmodule.c (+15 lines)
Lines 214-219 strop_joinfields(PyObject *self, PyObjec Link Here
214
				return NULL;
214
				return NULL;
215
			}
215
			}
216
			slen = PyString_GET_SIZE(item);
216
			slen = PyString_GET_SIZE(item);
217
			if (slen > INT_MAX - reslen ||
218
			    seplen > INT_MAX - reslen - seplen) {
219
				PyErr_SetString(PyExc_OverflowError,
220
						"input too long");
221
				Py_DECREF(res);
222
				return NULL;
223
			}
217
			while (reslen + slen + seplen >= sz) {
224
			while (reslen + slen + seplen >= sz) {
218
				if (_PyString_Resize(&res, sz * 2) < 0)
225
				if (_PyString_Resize(&res, sz * 2) < 0)
219
					return NULL;
226
					return NULL;
Lines 251-256 strop_joinfields(PyObject *self, PyObjec Link Here
251
			return NULL;
258
			return NULL;
252
		}
259
		}
253
		slen = PyString_GET_SIZE(item);
260
		slen = PyString_GET_SIZE(item);
261
		if (slen > INT_MAX - reslen ||
262
		    seplen > INT_MAX - reslen - seplen) {
263
			PyErr_SetString(PyExc_OverflowError,
264
					"input too long");
265
			Py_DECREF(res);
266
			Py_XDECREF(item);
267
			return NULL;
268
		}
254
		while (reslen + slen + seplen >= sz) {
269
		while (reslen + slen + seplen >= sz) {
255
			if (_PyString_Resize(&res, sz * 2) < 0) {
270
			if (_PyString_Resize(&res, sz * 2) < 0) {
256
				Py_DECREF(item);
271
				Py_DECREF(item);
(-)Python-2.4.4/Modules/gcmodule.c (-1 / +6 lines)
Lines 1249-1255 PyObject * Link Here
1249
_PyObject_GC_Malloc(size_t basicsize)
1249
_PyObject_GC_Malloc(size_t basicsize)
1250
{
1250
{
1251
	PyObject *op;
1251
	PyObject *op;
1252
	PyGC_Head *g = PyObject_MALLOC(sizeof(PyGC_Head) + basicsize);
1252
	PyGC_Head *g;
1253
 	if (basicsize > INT_MAX - sizeof(PyGC_Head))
1254
 		return PyErr_NoMemory();
1255
	g = PyObject_MALLOC(sizeof(PyGC_Head) + basicsize);
1253
	if (g == NULL)
1256
	if (g == NULL)
1254
		return PyErr_NoMemory();
1257
		return PyErr_NoMemory();
1255
	g->gc.gc_refs = GC_UNTRACKED;
1258
	g->gc.gc_refs = GC_UNTRACKED;
Lines 1291-1296 _PyObject_GC_Resize(PyVarObject *op, int Link Here
1291
{
1294
{
1292
	const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems);
1295
	const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems);
1293
	PyGC_Head *g = AS_GC(op);
1296
	PyGC_Head *g = AS_GC(op);
1297
 	if (basicsize > INT_MAX - sizeof(PyGC_Head))
1298
 		return (PyVarObject *)PyErr_NoMemory();
1294
	g = PyObject_REALLOC(g,  sizeof(PyGC_Head) + basicsize);
1299
	g = PyObject_REALLOC(g,  sizeof(PyGC_Head) + basicsize);
1295
	if (g == NULL)
1300
	if (g == NULL)
1296
		return (PyVarObject *)PyErr_NoMemory();
1301
		return (PyVarObject *)PyErr_NoMemory();

Return to bug 230640