From 5bc51f2f27dfeb57ae08b659ef1aa0c035077d60 Mon Sep 17 00:00:00 2001
From: Guido van Rossum <guido@python.org>
Date: Mon, 12 Jul 1999 23:06:58 +0000
Subject: [PATCH] Appropriate overflow checks so that things like
 sys.maxint*(1,) can't dump core.

---
 Objects/tupleobject.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/Objects/tupleobject.c b/Objects/tupleobject.c
index 4b7714c9cf..225835ca85 100644
--- a/Objects/tupleobject.c
+++ b/Objects/tupleobject.c
@@ -82,8 +82,16 @@ PyTuple_New(size)
 	else
 #endif
 	{
-		op = (PyTupleObject *) malloc(
-			sizeof(PyTupleObject) + (size-1) * sizeof(PyObject *));
+		int nbytes = size * sizeof(PyObject *);
+		/* Check for overflow */
+		if (nbytes / sizeof(PyObject *) != (size_t)size ||
+		    (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
+		    <= 0)
+		{
+			return PyErr_NoMemory();
+		}
+		;
+		op = (PyTupleObject *) malloc(nbytes);
 		if (op == NULL)
 			return PyErr_NoMemory();
 
@@ -359,13 +367,15 @@ tuplerepeat(a, n)
 	PyObject **p;
 	if (n < 0)
 		n = 0;
-	if (a->ob_size*n == a->ob_size) {
+	if (a->ob_size == 0 || n == 1) {
 		/* Since tuples are immutable, we can return a shared
 		   copy in this case */
 		Py_INCREF(a);
 		return (PyObject *)a;
 	}
 	size = a->ob_size * n;
+	if (size/n != a->ob_size)
+		return PyErr_NoMemory();
 	np = (PyTupleObject *) PyTuple_New(size);
 	if (np == NULL)
 		return NULL;
-- 
2.49.0