]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 614bfcc)
use safe allocation and reallocation macros
authorBenjamin Peterson <benjamin@python.org>
Sat, 27 Jun 2015 18:41:33 +0000 (13:41 -0500)
committerBenjamin Peterson <benjamin@python.org>
Sat, 27 Jun 2015 18:41:33 +0000 (13:41 -0500)
Misc/NEWS patch | blob | history
Modules/_pickle.c patch | blob | history

diff --git a/Misc/NEWS b/Misc/NEWS
index 0f969207d43d051f5065f048d616e5bd9b22e226..29914fc9ea81e7c9a922cd8ad2e1c162128e9392 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -22,6 +22,8 @@ Core and Builtins
 Library
 -------
 
+- Fix possible integer overflows in the pickle module.
+
 - Issue #22931: Allow '[' and ']' in cookie values.
 
 - Issue #24094: Fix possible crash in json.encode with poorly behaved dict
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index ae801f74effeb60e78d181855f44855bd0fcbb7f..ec8bd6c3bae878e8131bbf5c80333b7e1e6395e5 100644 (file)
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -218,9 +218,7 @@ Pdata_grow(Pdata *self)
     if (new_allocated > PY_SSIZE_T_MAX - allocated)
         goto nomemory;
     new_allocated += allocated;
-    if (new_allocated > (PY_SSIZE_T_MAX / sizeof(PyObject *)))
-        goto nomemory;
-    data = PyMem_REALLOC(data, new_allocated * sizeof(PyObject *));
+    PyMem_RESIZE(data, PyObject *, new_allocated);
     if (data == NULL)
         goto nomemory;
 
@@ -433,7 +431,7 @@ PyMemoTable_Copy(PyMemoTable *self)
     /* The table we get from _New() is probably smaller than we wanted.
        Free it and allocate one that's the right size. */
     PyMem_FREE(new->mt_table);
-    new->mt_table = PyMem_MALLOC(self->mt_allocated * sizeof(PyMemoEntry));
+    new->mt_table = PyMem_NEW(PyMemoEntry, self->mt_allocated);
     if (new->mt_table == NULL) {
         PyMem_FREE(new);
         return NULL;
@@ -527,7 +525,7 @@ _PyMemoTable_ResizeTable(PyMemoTable *self, Py_ssize_t min_size)
 
     /* Allocate new table. */
     oldtable = self->mt_table;
-    self->mt_table = PyMem_MALLOC(new_size * sizeof(PyMemoEntry));
+    self->mt_table = PyMem_NEW(PyMemoEntry, new_size);
     if (self->mt_table == NULL) {
         PyMem_FREE(oldtable);
         PyErr_NoMemory();
@@ -1055,16 +1053,14 @@ static int
 _Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size)
 {
     Py_ssize_t i;
-    PyObject **memo;
 
     assert(new_size > self->memo_size);
 
-    memo = PyMem_REALLOC(self->memo, new_size * sizeof(PyObject *));
-    if (memo == NULL) {
+    PyMem_RESIZE(self->memo, PyObject *, new_size);
+    if (self->memo == NULL) {
         PyErr_NoMemory();
         return -1;
     }
-    self->memo = memo;
     for (i = self->memo_size; i < new_size; i++)
         self->memo[i] = NULL;
     self->memo_size = new_size;
@@ -1103,7 +1099,7 @@ _Unpickler_MemoPut(UnpicklerObject *self, Py_ssize_t idx, PyObject *value)
 static PyObject **
 _Unpickler_NewMemo(Py_ssize_t new_size)
 {
-    PyObject **memo = PyMem_MALLOC(new_size * sizeof(PyObject *));
+    PyObject **memo = PyMem_NEW(PyObject *, new_size);
     if (memo == NULL)
         return NULL;
     memset(memo, 0, new_size * sizeof(PyObject *));
@@ -5270,7 +5266,6 @@ load_mark(UnpicklerObject *self)
 
     if ((self->num_marks + 1) >= self->marks_size) {
         size_t alloc;
-        Py_ssize_t *marks;
 
         /* Use the size_t type to check for overflow. */
         alloc = ((size_t)self->num_marks << 1) + 20;
@@ -5281,15 +5276,14 @@ load_mark(UnpicklerObject *self)
         }
 
         if (self->marks == NULL)
-            marks = (Py_ssize_t *) PyMem_Malloc(alloc * sizeof(Py_ssize_t));
+            self->marks = PyMem_NEW(Py_ssize_t, alloc);
         else
-            marks = (Py_ssize_t *) PyMem_Realloc(self->marks,
-                                                 alloc * sizeof(Py_ssize_t));
-        if (marks == NULL) {
+            PyMem_RESIZE(self->marks, Py_ssize_t, alloc);
+        if (self->marks == NULL) {
+            self->marks_size = 0;
             PyErr_NoMemory();
             return -1;
         }
-        self->marks = marks;
         self->marks_size = (Py_ssize_t)alloc;
     }
 
Unnamed repository; edit this file 'description' to name the repository.