bpo-25943: Check for integer overflow in bsddb's DB_join(). (GH-8392)

author Zackery Spytz <zspytz@gmail.com>

Sun, 22 Jul 2018 16:53:56 +0000 (10:53 -0600)

committer Serhiy Storchaka <storchaka@gmail.com>

Sun, 22 Jul 2018 16:53:56 +0000 (19:53 +0300)
author Zackery Spytz <zspytz@gmail.com>
Sun, 22 Jul 2018 16:53:56 +0000 (10:53 -0600)
committer Serhiy Storchaka <storchaka@gmail.com>
Sun, 22 Jul 2018 16:53:56 +0000 (19:53 +0300)
diff --git a/Modules/_bsddb.c b/Modules/_bsddb.c

index a8867942b1fe6e1cb69ff08f72c1a0e4a38dbf39..6a1c188cbd963905b256b8ad9269e2ed7a7d7887 100644 (file)
--- a/Modules/_bsddb.c
+++ b/Modules/_bsddb.c
@@ -2257,7 +2257,7 @@ static PyObject*
  DB_join(DBObject* self, PyObject* args)
  {
      int err, flags=0;
-    int length, x;
+    Py_ssize_t length, x;
      PyObject* cursorsObj;
      DBC** cursors;
      DBC*  dbc;
@@ -2274,6 +2274,12 @@ DB_join(DBObject* self, PyObject* args)
      }
  
      length = PyObject_Length(cursorsObj);
+    if (length == -1) {
+        return NULL;
+    }
+    if (length >= PY_SSIZE_T_MAX / sizeof(DBC*)) {
+        return PyErr_NoMemory();
+    }
      cursors = malloc((length+1) * sizeof(DBC*));
      if (!cursors) {
          PyErr_NoMemory();
author	Zackery Spytz <zspytz@gmail.com>
	Sun, 22 Jul 2018 16:53:56 +0000 (10:53 -0600)
committer	Serhiy Storchaka <storchaka@gmail.com>
	Sun, 22 Jul 2018 16:53:56 +0000 (19:53 +0300)