Commit 8469fbe0 authored by Benjamin Peterson's avatar Benjamin Peterson

use safe allocation and reallocation macros

parent 003d6a77
...@@ -22,6 +22,8 @@ Core and Builtins ...@@ -22,6 +22,8 @@ Core and Builtins
Library Library
------- -------
- Fix possible integer overflows in the pickle module.
- Issue #22931: Allow '[' and ']' in cookie values. - Issue #22931: Allow '[' and ']' in cookie values.
- Issue #24094: Fix possible crash in json.encode with poorly behaved dict - Issue #24094: Fix possible crash in json.encode with poorly behaved dict
......
...@@ -218,9 +218,7 @@ Pdata_grow(Pdata *self) ...@@ -218,9 +218,7 @@ Pdata_grow(Pdata *self)
if (new_allocated > PY_SSIZE_T_MAX - allocated) if (new_allocated > PY_SSIZE_T_MAX - allocated)
goto nomemory; goto nomemory;
new_allocated += allocated; new_allocated += allocated;
if (new_allocated > (PY_SSIZE_T_MAX / sizeof(PyObject *))) PyMem_RESIZE(data, PyObject *, new_allocated);
goto nomemory;
data = PyMem_REALLOC(data, new_allocated * sizeof(PyObject *));
if (data == NULL) if (data == NULL)
goto nomemory; goto nomemory;
...@@ -433,7 +431,7 @@ PyMemoTable_Copy(PyMemoTable *self) ...@@ -433,7 +431,7 @@ PyMemoTable_Copy(PyMemoTable *self)
/* The table we get from _New() is probably smaller than we wanted. /* The table we get from _New() is probably smaller than we wanted.
Free it and allocate one that's the right size. */ Free it and allocate one that's the right size. */
PyMem_FREE(new->mt_table); PyMem_FREE(new->mt_table);
new->mt_table = PyMem_MALLOC(self->mt_allocated * sizeof(PyMemoEntry)); new->mt_table = PyMem_NEW(PyMemoEntry, self->mt_allocated);
if (new->mt_table == NULL) { if (new->mt_table == NULL) {
PyMem_FREE(new); PyMem_FREE(new);
return NULL; return NULL;
...@@ -527,7 +525,7 @@ _PyMemoTable_ResizeTable(PyMemoTable *self, Py_ssize_t min_size) ...@@ -527,7 +525,7 @@ _PyMemoTable_ResizeTable(PyMemoTable *self, Py_ssize_t min_size)
/* Allocate new table. */ /* Allocate new table. */
oldtable = self->mt_table; oldtable = self->mt_table;
self->mt_table = PyMem_MALLOC(new_size * sizeof(PyMemoEntry)); self->mt_table = PyMem_NEW(PyMemoEntry, new_size);
if (self->mt_table == NULL) { if (self->mt_table == NULL) {
PyMem_FREE(oldtable); PyMem_FREE(oldtable);
PyErr_NoMemory(); PyErr_NoMemory();
...@@ -1055,16 +1053,14 @@ static int ...@@ -1055,16 +1053,14 @@ static int
_Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size) _Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size)
{ {
Py_ssize_t i; Py_ssize_t i;
PyObject **memo;
assert(new_size > self->memo_size); assert(new_size > self->memo_size);
memo = PyMem_REALLOC(self->memo, new_size * sizeof(PyObject *)); PyMem_RESIZE(self->memo, PyObject *, new_size);
if (memo == NULL) { if (self->memo == NULL) {
PyErr_NoMemory(); PyErr_NoMemory();
return -1; return -1;
} }
self->memo = memo;
for (i = self->memo_size; i < new_size; i++) for (i = self->memo_size; i < new_size; i++)
self->memo[i] = NULL; self->memo[i] = NULL;
self->memo_size = new_size; self->memo_size = new_size;
...@@ -1103,7 +1099,7 @@ _Unpickler_MemoPut(UnpicklerObject *self, Py_ssize_t idx, PyObject *value) ...@@ -1103,7 +1099,7 @@ _Unpickler_MemoPut(UnpicklerObject *self, Py_ssize_t idx, PyObject *value)
static PyObject ** static PyObject **
_Unpickler_NewMemo(Py_ssize_t new_size) _Unpickler_NewMemo(Py_ssize_t new_size)
{ {
PyObject **memo = PyMem_MALLOC(new_size * sizeof(PyObject *)); PyObject **memo = PyMem_NEW(PyObject *, new_size);
if (memo == NULL) if (memo == NULL)
return NULL; return NULL;
memset(memo, 0, new_size * sizeof(PyObject *)); memset(memo, 0, new_size * sizeof(PyObject *));
...@@ -5270,7 +5266,6 @@ load_mark(UnpicklerObject *self) ...@@ -5270,7 +5266,6 @@ load_mark(UnpicklerObject *self)
if ((self->num_marks + 1) >= self->marks_size) { if ((self->num_marks + 1) >= self->marks_size) {
size_t alloc; size_t alloc;
Py_ssize_t *marks;
/* Use the size_t type to check for overflow. */ /* Use the size_t type to check for overflow. */
alloc = ((size_t)self->num_marks << 1) + 20; alloc = ((size_t)self->num_marks << 1) + 20;
...@@ -5281,15 +5276,14 @@ load_mark(UnpicklerObject *self) ...@@ -5281,15 +5276,14 @@ load_mark(UnpicklerObject *self)
} }
if (self->marks == NULL) if (self->marks == NULL)
marks = (Py_ssize_t *) PyMem_Malloc(alloc * sizeof(Py_ssize_t)); self->marks = PyMem_NEW(Py_ssize_t, alloc);
else else
marks = (Py_ssize_t *) PyMem_Realloc(self->marks, PyMem_RESIZE(self->marks, Py_ssize_t, alloc);
alloc * sizeof(Py_ssize_t)); if (self->marks == NULL) {
if (marks == NULL) { self->marks_size = 0;
PyErr_NoMemory(); PyErr_NoMemory();
return -1; return -1;
} }
self->marks = marks;
self->marks_size = (Py_ssize_t)alloc; self->marks_size = (Py_ssize_t)alloc;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment