Skip to content

C
cpython
Commit dbf9affe authored by Guido van Rossum's avatar Guido van Rossum
Browse files
Options

Appropriate overflow checks so that things like sys.maxint*(1,) can't 

dump core.
parent 5257e881
Hide whitespace changes
Inline Side-by-side
Showing with 13 additions and 3 deletions
Objects/tupleobject.c
View file @ dbf9affe
...@@ -82,8 +82,16 @@ PyTuple_New(size) ...@@ -82,8 +82,16 @@ PyTuple_New(size)
else else
#endif #endif
{ {
op = (PyTupleObject *) malloc( int nbytes = size * sizeof(PyObject *);
sizeof(PyTupleObject) + (size-1) * sizeof(PyObject *)); /* Check for overflow */
if (nbytes / sizeof(PyObject *) != (size_t)size ||
(nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
<= 0)
{
return PyErr_NoMemory();
}
;
op = (PyTupleObject *) malloc(nbytes);
if (op == NULL) if (op == NULL)
return PyErr_NoMemory(); return PyErr_NoMemory();
...@@ -359,13 +367,15 @@ tuplerepeat(a, n) ...@@ -359,13 +367,15 @@ tuplerepeat(a, n)
PyObject **p; PyObject **p;
if (n < 0) if (n < 0)
n = 0; n = 0;
if (a->ob_size*n == a->ob_size) { if (a->ob_size == 0 || n == 1) {
/* Since tuples are immutable, we can return a shared /* Since tuples are immutable, we can return a shared
copy in this case */ copy in this case */
Py_INCREF(a); Py_INCREF(a);
return (PyObject *)a; return (PyObject *)a;
} }
size = a->ob_size * n; size = a->ob_size * n;
if (size/n != a->ob_size)
return PyErr_NoMemory();
np = (PyTupleObject *) PyTuple_New(size); np = (PyTupleObject *) PyTuple_New(size);
if (np == NULL) if (np == NULL)
return NULL; return NULL;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7