blob: 8abfc2f08541dc86112e7ab292db3a034e3ef0bd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
$NetBSD: patch-bl,v 1.1 2008/08/05 10:45:46 drochner Exp $
--- Objects/obmalloc.c.orig 2005-07-11 07:57:11.000000000 +0200
+++ Objects/obmalloc.c
@@ -585,6 +585,15 @@ PyObject_Malloc(size_t nbytes)
uint size;
/*
+ * Limit ourselves to INT_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > INT_MAX)
+ return NULL;
+
+ /*
* This implicitly redirects malloc(0).
*/
if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
@@ -814,6 +823,15 @@ PyObject_Realloc(void *p, size_t nbytes)
if (p == NULL)
return PyObject_Malloc(nbytes);
+ /*
+ * Limit ourselves to INT_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > INT_MAX)
+ return NULL;
+
pool = POOL_ADDR(p);
if (Py_ADDRESS_IN_RANGE(p, pool)) {
/* We're in charge of this block */
|
