[Python-checkins] bpo-35090: Fix potential division by zero in allocator wrappers (GH-10174)

Miss Islington (bot) webhook-mailer at python.org
Sun Oct 28 16:59:17 EDT 2018


https://github.com/python/cpython/commit/fd0a3bce6e917b5853c809a309c1513acc176f56
commit: fd0a3bce6e917b5853c809a309c1513acc176f56
branch: 3.6
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: GitHub <noreply at github.com>
date: 2018-10-28T13:59:13-07:00
summary:

bpo-35090: Fix potential division by zero in allocator wrappers (GH-10174)


* Fix potential division by zero in BZ2_Malloc()
* Avoid division by zero in PyLzma_Malloc()
* Avoid division by zero and integer overflow in PyZlib_Malloc()

Reported by Svace static analyzer.
(cherry picked from commit 3d4fabb2a424cb04ae446ebe4428090c386f45a5)

Co-authored-by: Alexey Izbyshev <izbyshev at ispras.ru>

files:
M Modules/_bz2module.c
M Modules/_lzmamodule.c
M Modules/zlibmodule.c

diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
index 3f555992316d..fe06953ec48e 100644
--- a/Modules/_bz2module.c
+++ b/Modules/_bz2module.c
@@ -288,11 +288,11 @@ BZ2_Malloc(void* ctx, int items, int size)
 {
     if (items < 0 || size < 0)
         return NULL;
-    if ((size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size)
+    if (size != 0 && (size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size)
         return NULL;
     /* PyMem_Malloc() cannot be used: compress() and decompress()
        release the GIL */
-    return PyMem_RawMalloc(items * size);
+    return PyMem_RawMalloc((size_t)items * (size_t)size);
 }
 
 static void
diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
index c265507ff58e..3d3645af9257 100644
--- a/Modules/_lzmamodule.c
+++ b/Modules/_lzmamodule.c
@@ -119,7 +119,7 @@ catch_lzma_error(lzma_ret lzret)
 static void*
 PyLzma_Malloc(void *opaque, size_t items, size_t size)
 {
-    if (items > (size_t)PY_SSIZE_T_MAX / size)
+    if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size)
         return NULL;
     /* PyMem_Malloc() cannot be used:
        the GIL is not held when lzma_code() is called */
diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
index a20dcd6de51e..dd7eb4fb5219 100644
--- a/Modules/zlibmodule.c
+++ b/Modules/zlibmodule.c
@@ -126,11 +126,11 @@ newcompobject(PyTypeObject *type)
 static void*
 PyZlib_Malloc(voidpf ctx, uInt items, uInt size)
 {
-    if (items > (size_t)PY_SSIZE_T_MAX / size)
+    if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size)
         return NULL;
     /* PyMem_Malloc() cannot be used: the GIL is not held when
        inflate() and deflate() are called */
-    return PyMem_RawMalloc(items * size);
+    return PyMem_RawMalloc((size_t)items * (size_t)size);
 }
 
 static void



More information about the Python-checkins mailing list