python - fix buffer overflows in unicode processing and elsewhere

Objects/obmalloc.c

 #include "Python.h"
 
 #ifdef WITH_PYMALLOC
 
 /* An object allocator for Python.
 
    Here is an introduction to the layers of the Python memory architecture,
    showing where the object allocator is actually used (layer +2), It is
    called for every object allocation and deallocation (PyObject_New/Del),
    unless the object-specific allocators implement a proprietary allocation
@@ skipping 707 matching lines @@
  */
 
 #undef PyObject_Malloc
 void *
 PyObject_Malloc(size_t nbytes)
 {
         block *bp;
         poolp pool;
         poolp next;
         uint size;
+
+        /*
+         * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+         * Most python internals blindly use a signed Py_ssize_t to track
+         * things without checking for overflows or negatives.
+         * As size_t is unsigned, checking for nbytes < 0 is not required.
+         */
+        if (nbytes > PY_SSIZE_T_MAX)
+                return NULL;
 
         /*
          * This implicitly redirects malloc(0).
          */
         if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
                 LOCK();
                 /*
                  * Most frequent paths first
                  */
                 size = (uint)(nbytes - 1) >> ALIGNMENT_SHIFT;
@@ skipping 384 matching lines @@
 #undef PyObject_Realloc
 void *
 PyObject_Realloc(void *p, size_t nbytes)
 {
         void *bp;
         poolp pool;
         size_t size;
 
         if (p == NULL)
                 return PyObject_Malloc(nbytes);
+
+        /*
+         * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+         * Most python internals blindly use a signed Py_ssize_t to track
+         * things without checking for overflows or negatives.
+         * As size_t is unsigned, checking for nbytes < 0 is not required.
+         */
+        if (nbytes > PY_SSIZE_T_MAX)
+                return NULL;
 
         pool = POOL_ADDR(p);
         if (Py_ADDRESS_IN_RANGE(p, pool)) {
                 /* We're in charge of this block */
                 size = INDEX2SIZE(pool->szidx);
                 if (nbytes <= size) {
                         /* The block is staying the same or shrinking.  If
                          * it's shrinking, there's a tradeoff:  it costs
                          * cycles to copy the block to a smaller size class,
                          * but it wastes memory not to copy it.  The
@@ skipping 594 matching lines @@
  * after the reference.
  */
 int
 Py_ADDRESS_IN_RANGE(void *P, poolp pool)
 {
         return pool->arenaindex < maxarenas &&
                (uptr)P - arenas[pool->arenaindex].address < (uptr)ARENA_SIZE &&
                arenas[pool->arenaindex].address != 0;
 }
 #endif