From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Sun, 28 Oct 2018 20:59:13 +0000 (-0700)
Subject: bpo-35090: Fix potential division by zero in allocator wrappers (GH-10174)
X-Git-Tag: v3.6.8rc1~166
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fd0a3bce6e917b5853c809a309c1513acc176f56;p=thirdparty%2FPython%2Fcpython.git

bpo-35090: Fix potential division by zero in allocator wrappers (GH-10174)


* Fix potential division by zero in BZ2_Malloc()
* Avoid division by zero in PyLzma_Malloc()
* Avoid division by zero and integer overflow in PyZlib_Malloc()

Reported by Svace static analyzer.
(cherry picked from commit 3d4fabb2a424cb04ae446ebe4428090c386f45a5)

Co-authored-by: Alexey Izbyshev <izbyshev@ispras.ru>
---

diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
index 3f555992316d..fe06953ec48e 100644
--- a/Modules/_bz2module.c
+++ b/Modules/_bz2module.c
@@ -288,11 +288,11 @@ BZ2_Malloc(void* ctx, int items, int size)
 {
     if (items < 0 || size < 0)
         return NULL;
-    if ((size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size)
+    if (size != 0 && (size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size)
         return NULL;
     /* PyMem_Malloc() cannot be used: compress() and decompress()
        release the GIL */
-    return PyMem_RawMalloc(items * size);
+    return PyMem_RawMalloc((size_t)items * (size_t)size);
 }
 
 static void
diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
index c265507ff58e..3d3645af9257 100644
--- a/Modules/_lzmamodule.c
+++ b/Modules/_lzmamodule.c
@@ -119,7 +119,7 @@ catch_lzma_error(lzma_ret lzret)
 static void*
 PyLzma_Malloc(void *opaque, size_t items, size_t size)
 {
-    if (items > (size_t)PY_SSIZE_T_MAX / size)
+    if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size)
         return NULL;
     /* PyMem_Malloc() cannot be used:
        the GIL is not held when lzma_code() is called */
diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
index a20dcd6de51e..dd7eb4fb5219 100644
--- a/Modules/zlibmodule.c
+++ b/Modules/zlibmodule.c
@@ -126,11 +126,11 @@ newcompobject(PyTypeObject *type)
 static void*
 PyZlib_Malloc(voidpf ctx, uInt items, uInt size)
 {
-    if (items > (size_t)PY_SSIZE_T_MAX / size)
+    if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size)
         return NULL;
     /* PyMem_Malloc() cannot be used: the GIL is not held when
        inflate() and deflate() are called */
-    return PyMem_RawMalloc(items * size);
+    return PyMem_RawMalloc((size_t)items * (size_t)size);
 }
 
 static void