From: Zackery Spytz <zspytz@gmail.com>
Date: Sun, 22 Jul 2018 16:53:56 +0000 (-0600)
Subject: bpo-25943: Check for integer overflow in bsddb's DB_join(). (GH-8392)
X-Git-Tag: v2.7.16rc1~199
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=041a4ee9456d716dd449d38a5328b82e76f5dbc4;p=thirdparty%2FPython%2Fcpython.git

bpo-25943: Check for integer overflow in bsddb's DB_join(). (GH-8392)
---

diff --git a/Modules/_bsddb.c b/Modules/_bsddb.c
index a8867942b1fe..6a1c188cbd96 100644
--- a/Modules/_bsddb.c
+++ b/Modules/_bsddb.c
@@ -2257,7 +2257,7 @@ static PyObject*
 DB_join(DBObject* self, PyObject* args)
 {
     int err, flags=0;
-    int length, x;
+    Py_ssize_t length, x;
     PyObject* cursorsObj;
     DBC** cursors;
     DBC*  dbc;
@@ -2274,6 +2274,12 @@ DB_join(DBObject* self, PyObject* args)
     }
 
     length = PyObject_Length(cursorsObj);
+    if (length == -1) {
+        return NULL;
+    }
+    if (length >= PY_SSIZE_T_MAX / sizeof(DBC*)) {
+        return PyErr_NoMemory();
+    }
     cursors = malloc((length+1) * sizeof(DBC*));
     if (!cursors) {
         PyErr_NoMemory();