5d6556dc39
memory allocation (CVE-2008-2315 and CVE-2008-2316) - also apply upstream svn rev.65262, fixes overflow checks in memory allocation (CVE-2008-3142 and CVE-2008-3144) Approved by: portmgr (pav) Security: http://www.vuxml.org/freebsd/0dccaa28-7f3c-11dd-8de5-0030843d3802.html
35 lines
1.1 KiB
C
35 lines
1.1 KiB
C
--- Objects/obmalloc.c.orig 2005-07-11 07:57:11.000000000 +0200
|
|
+++ Objects/obmalloc.c
|
|
@@ -585,6 +585,15 @@ PyObject_Malloc(size_t nbytes)
|
|
uint size;
|
|
|
|
/*
|
|
+ * Limit ourselves to INT_MAX bytes to prevent security holes.
|
|
+ * Most python internals blindly use a signed Py_ssize_t to track
|
|
+ * things without checking for overflows or negatives.
|
|
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
|
|
+ */
|
|
+ if (nbytes > INT_MAX)
|
|
+ return NULL;
|
|
+
|
|
+ /*
|
|
* This implicitly redirects malloc(0).
|
|
*/
|
|
if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
|
|
@@ -814,6 +823,15 @@ PyObject_Realloc(void *p, size_t nbytes)
|
|
if (p == NULL)
|
|
return PyObject_Malloc(nbytes);
|
|
|
|
+ /*
|
|
+ * Limit ourselves to INT_MAX bytes to prevent security holes.
|
|
+ * Most python internals blindly use a signed Py_ssize_t to track
|
|
+ * things without checking for overflows or negatives.
|
|
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
|
|
+ */
|
|
+ if (nbytes > INT_MAX)
|
|
+ return NULL;
|
|
+
|
|
pool = POOL_ADDR(p);
|
|
if (Py_ADDRESS_IN_RANGE(p, pool)) {
|
|
/* We're in charge of this block */
|