also apply upstream svn rev.65262, fixes overflow checks in memory

allocation (CVE-2008-3142), ride on PKGREVISION bump some minutes ago

6 files changed, 171 insertions, 1 deletions

diff --git a/lang/python24/distinfo b/lang/python24/distinfo
index 7c304c1a51f..ea4cd5d3e18 100644
--- a/lang/python24/distinfo
+++ b/lang/python24/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2008/08/05 10:13:34 drochner Exp $
+$NetBSD: distinfo,v 1.30 2008/08/05 10:45:45 drochner Exp $
 
 SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107
 RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097
@@ -30,3 +30,8 @@ SHA1 (patch-bd) = f760e4995888e22997d27598872fcf25cb89cbfe
 SHA1 (patch-be) = ce192dc8ec7b53b691288f1fecc8abbd9b61e9ea
 SHA1 (patch-bf) = c0ae4152a0991d1c814462a5a8e925c9a9a6c254
 SHA1 (patch-bg) = 30a6d65a10bc0e6df5229635ad89a27e1093a347
+SHA1 (patch-bh) = 4eee3ae6ff7ea9ca5c599dd782d78fb35a0562f4
+SHA1 (patch-bi) = 735906d3fb35bfe0d3b8d410b3a240e358215e05
+SHA1 (patch-bj) = ee23fac376746e48ee00e73b9ecc688086b7bc98
+SHA1 (patch-bk) = 4af3c66a3f6b773dc5fc14943a36b0906024e885
+SHA1 (patch-bl) = 9a192f5f4afd4296493599414a714bba6085d897
diff --git a/lang/python24/patches/patch-bh b/lang/python24/patches/patch-bh
new file mode 100644
index 00000000000..51ffc629d48
--- /dev/null
+++ b/lang/python24/patches/patch-bh
@@ -0,0 +1,60 @@
+$NetBSD: patch-bh,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Include/pymem.h.orig	2008-03-02 20:20:32.000000000 +0100
++++ Include/pymem.h
+@@ -66,8 +66,12 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+    for malloc(0), which would be treated as an error. Some platforms
+    would return a pointer with no memory behind it, which would break
+    pymalloc. To solve these problems, allocate an extra byte. */
+-#define PyMem_MALLOC(n)         malloc((n) ? (n) : 1)
+-#define PyMem_REALLOC(p, n)     realloc((p), (n) ? (n) : 1)
++/* Returns NULL to indicate error if a negative size or size larger than
++   Py_ssize_t can represent is supplied.  Helps prevents security holes. */
++#define PyMem_MALLOC(n)		(((n) < 0 || (n) > INT_MAX) ? NULL \
++				: malloc((n) ? (n) : 1))
++#define PyMem_REALLOC(p, n)	(((n) < 0 || (n) > INT_MAX) ? NULL \
++				: realloc((p), (n) ? (n) : 1))
+ 
+ #endif	/* PYMALLOC_DEBUG */
+ 
+@@ -80,24 +84,31 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+  * Type-oriented memory interface
+  * ==============================
+  *
+- * These are carried along for historical reasons.  There's rarely a good
+- * reason to use them anymore (you can just as easily do the multiply and
+- * cast yourself).
++ * Allocate memory for n objects of the given type.  Returns a new pointer
++ * or NULL if the request was too large or memory allocation failed.  Use
++ * these macros rather than doing the multiplication yourself so that proper
++ * overflow checking is always done.
+  */
+ 
+ #define PyMem_New(type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
++  ( ((n) > INT_MAX / sizeof(type)) ? NULL : \
+ 	( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
+ #define PyMem_NEW(type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
++  ( ((n) > INT_MAX / sizeof(type)) ? NULL : \
+ 	( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
+ 
++/*
++ * The value of (p) is always clobbered by this macro regardless of success.
++ * The caller MUST check if (p) is NULL afterwards and deal with the memory
++ * error if so.  This means the original value of (p) MUST be saved for the
++ * caller's memory error handler to not lose track of it.
++ */
+ #define PyMem_Resize(p, type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+-	( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
++  ( (p) = ((n) > INT_MAX / sizeof(type)) ? NULL : \
++	(type *) PyMem_Realloc((p), (n) * sizeof(type)) )
+ #define PyMem_RESIZE(p, type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+-	( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
++  ( (p) = ((n) > INT_MAX / sizeof(type)) ? NULL : \
++	(type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
+ 
+ /* In order to avoid breaking old code mixing PyObject_{New, NEW} with
+    PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory"
diff --git a/lang/python24/patches/patch-bi b/lang/python24/patches/patch-bi
new file mode 100644
index 00000000000..cb4d2c5e95d
--- /dev/null
+++ b/lang/python24/patches/patch-bi
@@ -0,0 +1,16 @@
+$NetBSD: patch-bi,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Modules/almodule.c.orig	2006-09-27 21:17:32.000000000 +0200
++++ Modules/almodule.c
+@@ -1633,9 +1633,11 @@ al_QueryValues(PyObject *self, PyObject 
+ 	if (nvals < 0)
+ 		goto cleanup;
+ 	if (nvals > setsize) {
++		ALvalue *old_return_set = return_set;
+ 		setsize = nvals;
+ 		PyMem_RESIZE(return_set, ALvalue, setsize);
+ 		if (return_set == NULL) {
++			return_set = old_return_set;
+ 			PyErr_NoMemory();
+ 			goto cleanup;
+ 		}
diff --git a/lang/python24/patches/patch-bj b/lang/python24/patches/patch-bj
new file mode 100644
index 00000000000..6bf08ba39f6
--- /dev/null
+++ b/lang/python24/patches/patch-bj
@@ -0,0 +1,35 @@
+$NetBSD: patch-bj,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Modules/arraymodule.c.orig	2008-03-02 20:20:32.000000000 +0100
++++ Modules/arraymodule.c
+@@ -814,6 +814,7 @@ static int
+ array_do_extend(arrayobject *self, PyObject *bb)
+ {
+ 	int size;
++	char *old_item;
+ 
+ 	if (!array_Check(bb))
+ 		return array_iter_extend(self, bb);
+@@ -829,10 +830,11 @@ array_do_extend(arrayobject *self, PyObj
+ 			return -1;
+ 	}
+ 	size = self->ob_size + b->ob_size;
++	old_item = self->ob_item;
+         PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);
+         if (self->ob_item == NULL) {
+-                PyObject_Del(self);
+-                PyErr_NoMemory();
++		self->ob_item = old_item;
++		PyErr_NoMemory();
+ 		return -1;
+         }
+ 	memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize,
+@@ -884,7 +886,7 @@ array_inplace_repeat(arrayobject *self, 
+ 			if (size > INT_MAX / n) {
+ 				return PyErr_NoMemory();
+ 			}
+-			PyMem_Resize(items, char, n * size);
++			PyMem_RESIZE(items, char, n * size);
+ 			if (items == NULL)
+ 				return PyErr_NoMemory();
+ 			p = items;
diff --git a/lang/python24/patches/patch-bk b/lang/python24/patches/patch-bk
new file mode 100644
index 00000000000..85c60356c3a
--- /dev/null
+++ b/lang/python24/patches/patch-bk
@@ -0,0 +1,18 @@
+$NetBSD: patch-bk,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Modules/selectmodule.c.orig	2006-09-27 21:17:32.000000000 +0200
++++ Modules/selectmodule.c
+@@ -342,10 +342,12 @@ update_ufd_array(pollObject *self)
+ {
+ 	int i, pos;
+ 	PyObject *key, *value;
++        struct pollfd *old_ufds = self->ufds;
+ 
+ 	self->ufd_len = PyDict_Size(self->dict);
+-	PyMem_Resize(self->ufds, struct pollfd, self->ufd_len);
++	PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len);
+ 	if (self->ufds == NULL) {
++                self->ufds = old_ufds;
+ 		PyErr_NoMemory();
+ 		return 0;
+ 	}
diff --git a/lang/python24/patches/patch-bl b/lang/python24/patches/patch-bl
new file mode 100644
index 00000000000..8abfc2f0854
--- /dev/null
+++ b/lang/python24/patches/patch-bl
@@ -0,0 +1,36 @@
+$NetBSD: patch-bl,v 1.1 2008/08/05 10:45:46 drochner Exp $
+
+--- Objects/obmalloc.c.orig	2005-07-11 07:57:11.000000000 +0200
++++ Objects/obmalloc.c
+@@ -585,6 +585,15 @@ PyObject_Malloc(size_t nbytes)
+ 	uint size;
+ 
+ 	/*
++	 * Limit ourselves to INT_MAX bytes to prevent security holes.
++	 * Most python internals blindly use a signed Py_ssize_t to track
++	 * things without checking for overflows or negatives.
++	 * As size_t is unsigned, checking for nbytes < 0 is not required.
++	 */
++	if (nbytes > INT_MAX)
++		return NULL;
++
++	/*
+ 	 * This implicitly redirects malloc(0).
+ 	 */
+ 	if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
+@@ -814,6 +823,15 @@ PyObject_Realloc(void *p, size_t nbytes)
+ 	if (p == NULL)
+ 		return PyObject_Malloc(nbytes);
+ 
++	/*
++	 * Limit ourselves to INT_MAX bytes to prevent security holes.
++	 * Most python internals blindly use a signed Py_ssize_t to track
++	 * things without checking for overflows or negatives.
++	 * As size_t is unsigned, checking for nbytes < 0 is not required.
++	 */
++	if (nbytes > INT_MAX)
++		return NULL;
++
+ 	pool = POOL_ADDR(p);
+ 	if (Py_ADDRESS_IN_RANGE(p, pool)) {
+ 		/* We're in charge of this block */