bpo-35090: Fix potential division by zero in allocator wrappers (GH-10174)

* Fix potential division by zero in BZ2_Malloc() * Avoid division by zero in PyLzma_Malloc() * Avoid division by zero and integer overflow in PyZlib_Malloc() Reported by Svace static analyzer.
2018-10-28 19:45:50 +03:00 · 2018-10-28 19:45:50 +03:00 · 3d4fabb2a4
parent 68d6dc0770
commit 3d4fabb2a4
3 changed files with 5 additions and 5 deletions
--- a/Modules/_bz2module.c
+++ b/Modules/_bz2module.c
@ -277,11 +277,11 @@ BZ2_Malloc(void* ctx, int items, int size)
 {
    if (items < 0 || size < 0)
        return NULL;
-    if ((size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size)
+    if (size != 0 && (size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size)
        return NULL;
    /* PyMem_Malloc() cannot be used: compress() and decompress()
       release the GIL */
-    return PyMem_RawMalloc(items * size);
+    return PyMem_RawMalloc((size_t)items * (size_t)size);
 }

 static void
--- a/Modules/_lzmamodule.c
+++ b/Modules/_lzmamodule.c
@ -108,7 +108,7 @@ catch_lzma_error(lzma_ret lzret)
 static void*
 PyLzma_Malloc(void *opaque, size_t items, size_t size)
 {
-    if (items > (size_t)PY_SSIZE_T_MAX / size)
+    if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size)
        return NULL;
    /* PyMem_Malloc() cannot be used:
       the GIL is not held when lzma_code() is called */
--- a/Modules/zlibmodule.c
+++ b/Modules/zlibmodule.c
@ -117,11 +117,11 @@ newcompobject(PyTypeObject *type)
 static void*
 PyZlib_Malloc(voidpf ctx, uInt items, uInt size)
 {
-    if (items > (size_t)PY_SSIZE_T_MAX / size)
+    if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size)
        return NULL;
    /* PyMem_Malloc() cannot be used: the GIL is not held when
       inflate() and deflate() are called */
-    return PyMem_RawMalloc(items * size);
+    return PyMem_RawMalloc((size_t)items * (size_t)size);
 }

 static void