Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(95)
Issues Repositories
Recent Issues | Sign in with your Google Account to create issues and add comments

Unified Diff: Objects/obmalloc.c

Issue 2599: python - fix buffer overflows in unicode processing and elsewhere SVN Base: http://svn.python.org/view/*checkout*/python/trunk/
Patch Set: Created 1 year, 4 months ago , Downloaded from: http://bugs.python.org/file10825/issue2620-gps02-patch.txt
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side by-side-diff with in-line comments
Download patch
« Modules/selectmodule.c ('k') | no next file » | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Objects/obmalloc.c
===================================================================
--- Objects/obmalloc.c (revision 64754)
+++ Objects/obmalloc.c (working copy)
@@ -727,6 +727,15 @@
uint size;
/*
+ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > PY_SSIZE_T_MAX)
+ return NULL;
+
+ /*
* This implicitly redirects malloc(0).
*/
if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
@@ -1130,6 +1139,15 @@
if (p == NULL)
return PyObject_Malloc(nbytes);
+ /*
+ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > PY_SSIZE_T_MAX)
+ return NULL;
+
pool = POOL_ADDR(p);
if (Py_ADDRESS_IN_RANGE(p, pool)) {
/* We're in charge of this block */
« Modules/selectmodule.c ('k') | no next file »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld r497