Carefully check for overflow when allocating the memory for fromfile

-- someone tried to pass in sys.maxint and got bitten by the bogus
calculations.

diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c
index 656f5a68af1bed999857dd6eca7e1074a21e5218..bb0a9edb33b42640c1f0c1f6b8a666c7b4ae2d33 100644 (file)
--- a/Modules/arraymodule.c
+++ b/Modules/arraymodule.c
@@ -935,8 +935,15 @@ array_fromfile(self, args)
                char *item = self->ob_item;
                int itemsize = self->ob_descr->itemsize;
                int nread;
-               PyMem_RESIZE(item, char, (self->ob_size + n) * itemsize);
+               int newlength;
+               size_t newbytes;
+               /* Be careful here about overflow */
+               if ((newlength = self->ob_size + n) <= 0 ||
+                   (newbytes = newlength * itemsize) / itemsize != newlength)
+                       goto nomem;
+               PyMem_RESIZE(item, char, newbytes);
                if (item == NULL) {
+                 nomem:
                        PyErr_NoMemory();
                        return NULL;
                }