glix
diff --git a/‎Include/pymem.h‎
Lines changed: 8 additions & 4 deletions b/‎Include/pymem.h‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎Include/pyport.h‎
Lines changed: 11 additions & 0 deletions b/‎Include/pyport.h‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎Lib/test/test_array.py‎
Lines changed: 17 additions & 0 deletions b/‎Lib/test/test_array.py‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎Lib/test/test_struct.py‎
Lines changed: 8 additions & 0 deletions b/‎Lib/test/test_struct.py‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎Misc/NEWS‎
Lines changed: 5 additions & 0 deletions b/‎Misc/NEWS‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎Modules/_csv.c‎
Lines changed: 10 additions & 0 deletions b/‎Modules/_csv.c‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎Modules/_struct.c‎
Lines changed: 6 additions & 0 deletions b/‎Modules/_struct.c‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎Modules/arraymodule.c‎
Lines changed: 37 additions & 1 deletion b/‎Modules/arraymodule.c‎
Lines changed: 37 additions & 1 deletion
@@ -85,14 +85,18 @@ PyAPI_FUNC(void) PyMem_Free(void *);
  */
 
 #define PyMem_New(type, n) \
-	( (type *) PyMem_Malloc((n) * sizeof(type)) )
+  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+	( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
 #define PyMem_NEW(type, n) \
-	( (type *) PyMem_MALLOC((n) * sizeof(type)) )
+  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+	( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
 
 #define PyMem_Resize(p, type, n) \
-	( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) )
+  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+	( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
 #define PyMem_RESIZE(p, type, n) \
-	( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
+  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+	( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
 
 /* PyMem{Del,DEL} are left over from ancient days, and shouldn't be used
  * anymore.  They're just confusing aliases for PyMem_{Free,FREE} now.
 
@@ -117,6 +117,17 @@ typedef Py_intptr_t	Py_ssize_t;
 #   error "Python needs a typedef for Py_ssize_t in pyport.h."
 #endif
 
+/* Largest possible value of size_t.
+   SIZE_MAX is part of C99, so it might be defined on some
+   platforms. If it is not defined, (size_t)-1 is a portable
+   definition for C89, due to the way signed->unsigned 
+   conversion is defined. */
+#ifdef SIZE_MAX
+#define PY_SIZE_MAX SIZE_MAX
+#else
+#define PY_SIZE_MAX ((size_t)-1)
+#endif
+
 /* Largest positive value of type Py_ssize_t. */
 #define PY_SSIZE_T_MAX ((Py_ssize_t)(((size_t)-1)>>1))
 /* Smallest negative value of type Py_ssize_t. */
 
@@ -1009,6 +1009,23 @@ class FloatTest(FPTest):
 class DoubleTest(FPTest):
     typecode = 'd'
     minitemsize = 8
+
+    def test_alloc_overflow(self):
+        a = array.array('d', [-1]*65536)
+        try:
+            a *= 65536
+        except MemoryError:
+            pass
+        else:
+            self.fail("a *= 2**16 didn't raise MemoryError")
+        b = array.array('d', [ 2.71828183, 3.14159265, -1])
+        try:
+            b * 1431655766
+        except MemoryError:
+            pass
+        else:
+            self.fail("a * 1431655766 didn't raise MemoryError")
+
 tests.append(DoubleTest)
 
 def test_main(verbose=None):
 
@@ -8,6 +8,7 @@
 
 import sys
 ISBIGENDIAN = sys.byteorder == "big"
+IS32BIT = sys.maxint == 0x7fffffff
 del sys
 
 try:
@@ -568,6 +569,13 @@ def test_bool(self):
             for c in '\x01\x7f\xff\x0f\xf0':
                 self.assertTrue(struct.unpack('>?', c)[0])
 
+    def test_crasher(self):
+        if IS32BIT:
+            self.assertRaises(MemoryError, struct.pack, "357913941c", "a")
+        else:
+            print "%s test_crasher skipped on 64bit build."
+
+
 
 def test_main():
     run_unittest(StructTest)
 
@@ -40,6 +40,11 @@ Core and Builtins
   Exception (KeyboardInterrupt, and SystemExit) propagate instead of
   ignoring them.
 
+- Added checks for integer overflows, contributed by Google. Some are
+  only available if asserts are left in the code, in cases where they
+  can't be triggered from Python code.
+
+
 Extension Modules
 -----------------
 
 
@@ -559,6 +559,10 @@ parse_grow_buff(ReaderObj *self)
 		self->field = PyMem_Malloc(self->field_size);
 	}
 	else {
+		if (self->field_size > INT_MAX / 2) {
+			PyErr_NoMemory();
+			return 0;
+		} 
 		self->field_size *= 2;
 		self->field = PyMem_Realloc(self->field, self->field_size);
 	}
@@ -1053,6 +1057,12 @@ join_append_data(WriterObj *self, char *field, int quote_empty,
 static int
 join_check_rec_size(WriterObj *self, int rec_len)
 {
+
+	if (rec_len < 0 || rec_len > INT_MAX - MEM_INCR) {
+		PyErr_NoMemory();
+		return 0;
+	}
+
 	if (rec_len > self->rec_size) {
 		if (self->rec_size == 0) {
 			self->rec_size = (rec_len / MEM_INCR + 1) * MEM_INCR;
 
@@ -1385,6 +1385,12 @@ prepare_s(PyStructObject *self)
 		}
 	}
 
+	/* check for overflow */
+	if ((len + 1) > (PY_SSIZE_T_MAX / sizeof(formatcode))) {
+		PyErr_NoMemory();
+		return -1;
+	}
+
 	self->s_size = size;
 	self->s_len = len;
 	codes = PyMem_MALLOC((len + 1) * sizeof(formatcode));
 
@@ -652,6 +652,9 @@ array_concat(arrayobject *a, PyObject *bb)
 		PyErr_BadArgument();
 		return NULL;
 	}
+	if (Py_SIZE(a) > PY_SSIZE_T_MAX - Py_SIZE(b)) {
+		return PyErr_NoMemory();
+	}
 	size = Py_SIZE(a) + Py_SIZE(b);
 	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);
 	if (np == NULL) {
@@ -674,6 +677,9 @@ array_repeat(arrayobject *a, Py_ssize_t n)
 	Py_ssize_t nbytes;
 	if (n < 0)
 		n = 0;
+	if ((Py_SIZE(a) != 0) && (n > PY_SSIZE_T_MAX / Py_SIZE(a))) {
+		return PyErr_NoMemory();
+	}
 	size = Py_SIZE(a) * n;
 	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);
 	if (np == NULL)
@@ -818,6 +824,11 @@ array_do_extend(arrayobject *self, PyObject *bb)
 			     "can only extend with array of same kind");
 		return -1;
 	}
+	if ((Py_SIZE(self) > PY_SSIZE_T_MAX - Py_SIZE(b)) ||
+		((Py_SIZE(self) + Py_SIZE(b)) > PY_SSIZE_T_MAX / self->ob_descr->itemsize)) {
+			PyErr_NoMemory();
+			return -1;
+	}
 	size = Py_SIZE(self) + Py_SIZE(b);
         PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);
         if (self->ob_item == NULL) {
@@ -859,6 +870,10 @@ array_inplace_repeat(arrayobject *self, Py_ssize_t n)
 		if (n < 0)
 			n = 0;
 		items = self->ob_item;
+		if ((self->ob_descr->itemsize != 0) && 
+			(Py_SIZE(self) > PY_SSIZE_T_MAX / self->ob_descr->itemsize)) {
+			return PyErr_NoMemory();
+		}
 		size = Py_SIZE(self) * self->ob_descr->itemsize;
 		if (n == 0) {
 			PyMem_FREE(items);
@@ -867,6 +882,9 @@ array_inplace_repeat(arrayobject *self, Py_ssize_t n)
 			self->allocated = 0;
 		}
 		else {
+			if (size > PY_SSIZE_T_MAX / n) {
+				return PyErr_NoMemory();
+			}
 			PyMem_Resize(items, char, n * size);
 			if (items == NULL)
 				return PyErr_NoMemory();
@@ -1148,6 +1166,10 @@ array_reduce(arrayobject *array)
 		Py_INCREF(dict);
 	}
 	if (Py_SIZE(array) > 0) {
+		if (array->ob_descr->itemsize 
+				> PY_SSIZE_T_MAX / array->ob_size) {
+			return PyErr_NoMemory();
+		}
 		result = Py_BuildValue("O(cs#)O", 
 			Py_TYPE(array), 
 			array->ob_descr->typecode,
@@ -1330,6 +1352,9 @@ array_fromlist(arrayobject *self, PyObject *list)
 			if ((*self->ob_descr->setitem)(self,
 					Py_SIZE(self) - n + i, v) != 0) {
 				Py_SIZE(self) -= n;
+				if (itemsize && (self->ob_size > PY_SSIZE_T_MAX / itemsize)) {
+					return PyErr_NoMemory();
+				}
 				PyMem_RESIZE(item, char,
 					          Py_SIZE(self) * itemsize);
 				self->ob_item = item;
@@ -1389,6 +1414,10 @@ array_fromstring(arrayobject *self, PyObject *args)
 	n = n / itemsize;
 	if (n > 0) {
 		char *item = self->ob_item;
+		if ((n > PY_SSIZE_T_MAX - Py_SIZE(self)) ||
+			((Py_SIZE(self) + n) > PY_SSIZE_T_MAX / itemsize)) {
+				return PyErr_NoMemory();
+		}
 		PyMem_RESIZE(item, char, (Py_SIZE(self) + n) * itemsize);
 		if (item == NULL) {
 			PyErr_NoMemory();
@@ -1414,8 +1443,12 @@ values,as if it had been read from a file using the fromfile() method).");
 static PyObject *
 array_tostring(arrayobject *self, PyObject *unused)
 {
-	return PyString_FromStringAndSize(self->ob_item,
+	if (self->ob_size <= PY_SSIZE_T_MAX / self->ob_descr->itemsize) {
+		return PyString_FromStringAndSize(self->ob_item,
 				    Py_SIZE(self) * self->ob_descr->itemsize);
+	} else {
+		return PyErr_NoMemory();
+	}
 }
 
 PyDoc_STRVAR(tostring_doc,
@@ -1443,6 +1476,9 @@ array_fromunicode(arrayobject *self, PyObject *args)
 	}
 	if (n > 0) {
 		Py_UNICODE *item = (Py_UNICODE *) self->ob_item;
+		if (Py_SIZE(self) > PY_SSIZE_T_MAX - n) {
+			return PyErr_NoMemory();
+		}
 		PyMem_RESIZE(item, Py_UNICODE, Py_SIZE(self) + n);
 		if (item == NULL) {
 			PyErr_NoMemory();
Original file line number	Diff line number	Diff line change
`@@ -1385,6 +1385,12 @@ prepare_s(PyStructObject *self)`
`1385`	`1385`	`}`
`1386`	`1386`	`}`
`1387`	`1387`
	`1388`	`+ /* check for overflow */`
	`1389`	`+ if ((len + 1) > (PY_SSIZE_T_MAX / sizeof(formatcode))) {`
	`1390`	`+ PyErr_NoMemory();`
	`1391`	`+ return -1;`
	`1392`	`+ }`
	`1393`	`+`
`1388`	`1394`	`self->s_size = size;`
`1389`	`1395`	`self->s_len = len;`
`1390`	`1396`	`codes = PyMem_MALLOC((len + 1) * sizeof(formatcode));`