[Python-checkins] r54554 - python/branches/release25-maint/Modules/_ctypes/_ctypes.c
thomas.heller
python-checkins at python.org
Fri Mar 23 20:56:46 CET 2007
Author: thomas.heller
Date: Fri Mar 23 20:56:45 2007
New Revision: 54554
Modified:
python/branches/release25-maint/Modules/_ctypes/_ctypes.c
Log:
Prevent creation (followed by a segfault) of array types when the size
overflows the valid Py_ssize_t range. Check return values of
PyMem_Malloc.
Backported from trunk.
Modified: python/branches/release25-maint/Modules/_ctypes/_ctypes.c
==============================================================================
--- python/branches/release25-maint/Modules/_ctypes/_ctypes.c (original)
+++ python/branches/release25-maint/Modules/_ctypes/_ctypes.c Fri Mar 23 20:56:45 2007
@@ -1002,6 +1002,12 @@
}
itemsize = itemdict->size;
+ if (length * itemsize < 0) {
+ PyErr_SetString(PyExc_OverflowError,
+ "array too large");
+ return NULL;
+ }
+
itemalign = itemdict->align;
stgdict->size = itemsize * length;
@@ -2176,7 +2182,7 @@
0, /* tp_free */
};
-static void CData_MallocBuffer(CDataObject *obj, StgDictObject *dict)
+static int CData_MallocBuffer(CDataObject *obj, StgDictObject *dict)
{
if ((size_t)dict->size <= sizeof(obj->b_value)) {
/* No need to call malloc, can use the default buffer */
@@ -2193,10 +2199,15 @@
33% of the creation time for c_int().
*/
obj->b_ptr = (char *)PyMem_Malloc(dict->size);
+ if (obj->b_ptr == NULL) {
+ PyErr_NoMemory();
+ return -1;
+ }
obj->b_needsfree = 1;
memset(obj->b_ptr, 0, dict->size);
}
obj->b_size = dict->size;
+ return 0;
}
PyObject *
@@ -2228,7 +2239,10 @@
cmem->b_base = (CDataObject *)base;
cmem->b_index = index;
} else { /* copy contents of adr */
- CData_MallocBuffer(cmem, dict);
+ if (-1 == CData_MallocBuffer(cmem, dict)) {
+ return NULL;
+ Py_DECREF(cmem);
+ }
memcpy(cmem->b_ptr, adr, dict->size);
cmem->b_index = index;
}
@@ -2441,7 +2455,10 @@
obj->b_objects = NULL;
obj->b_length = dict->length;
- CData_MallocBuffer(obj, dict);
+ if (-1 == CData_MallocBuffer(obj, dict)) {
+ Py_DECREF(obj);
+ return NULL;
+ }
return (PyObject *)obj;
}
/*****************************************************************/
More information about the Python-checkins
mailing list