From 5d1866c78a4caf9825a0ce90863c19f65279da86 Mon Sep 17 00:00:00 2001
From: Victor Stinner <victor.stinner@gmail.com>
Date: Mon, 8 Jul 2013 22:17:52 +0200
Subject: [PATCH] Issue #18408: PyObject_GC_NewVar() now raises SystemError
 exception if nitems is negative

---
 Modules/gcmodule.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c
index 51c80b236e6..d96d2c7b68a 100644
--- a/Modules/gcmodule.c
+++ b/Modules/gcmodule.c
@@ -1689,8 +1689,15 @@ _PyObject_GC_New(PyTypeObject *tp)
 PyVarObject *
 _PyObject_GC_NewVar(PyTypeObject *tp, Py_ssize_t nitems)
 {
-    const size_t size = _PyObject_VAR_SIZE(tp, nitems);
-    PyVarObject *op = (PyVarObject *) _PyObject_GC_Malloc(size);
+    size_t size;
+    PyVarObject *op;
+
+    if (nitems < 0) {
+        PyErr_BadInternalCall();
+        return NULL;
+    }
+    size = _PyObject_VAR_SIZE(tp, nitems);
+    op = (PyVarObject *) _PyObject_GC_Malloc(size);
     if (op != NULL)
         op = PyObject_INIT_VAR(op, tp, nitems);
     return op;