From 60098040c8a1782f4e68a0833cf351b9b2023162 Mon Sep 17 00:00:00 2001
From: Hirokazu Yamamoto <ocean-city@m2.ccsnet.ne.jp>
Date: Tue, 31 Mar 2009 13:22:01 +0000
Subject: [PATCH] Merged revisions 70800 via svnmerge from
 svn+ssh://pythondev@svn.python.org/python/trunk

........
  r70800 | hirokazu.yamamoto | 2009-03-31 22:13:05 +0900 | 1 line

  Issue #5387: Fixed mmap.move crash by integer overflow.
........
---
 Lib/test/test_mmap.py | 17 +++++++++++++++++
 Misc/NEWS             |  2 ++
 Modules/mmapmodule.c  |  6 ++----
 3 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/Lib/test/test_mmap.py b/Lib/test/test_mmap.py
index 31daa8df11d..a73dfedaa3c 100644
--- a/Lib/test/test_mmap.py
+++ b/Lib/test/test_mmap.py
@@ -338,6 +338,23 @@ class MmapTests(unittest.TestCase):
         mf.close()
         f.close()
 
+        # more excessive test
+        data = "0123456789"
+        for dest in range(len(data)):
+            for src in range(len(data)):
+                for count in range(len(data) - max(dest, src)):
+                    expected = data[:dest] + data[src:src+count] + data[dest+count:]
+                    m = mmap.mmap(-1, len(data))
+                    m[:] = data
+                    m.move(dest, src, count)
+                    self.assertEqual(m[:], expected)
+                    m.close()
+
+        # should not crash
+        m = mmap.mmap(-1, 1)
+        self.assertRaises(ValueError, m.move, 1, 1, -1)
+        m.close()
+
     def test_anonymous(self):
         # anonymous mmap.mmap(-1, PAGE)
         m = mmap.mmap(-1, PAGESIZE)
diff --git a/Misc/NEWS b/Misc/NEWS
index d49fc0d2e96..2b3e3b8348a 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -92,6 +92,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #5387: Fixed mmap.move crash by integer overflow.
+
 - Issue #5261: Patch multiprocessing's semaphore.c to support context
   manager use: "with multiprocessing.Lock()" works now.
 
diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c
index 95dcfbe6305..d191c1e6fb1 100644
--- a/Modules/mmapmodule.c
+++ b/Modules/mmapmodule.c
@@ -612,10 +612,8 @@ mmap_move_method(mmap_object *self, PyObject *args)
 		return NULL;
 	} else {
 		/* bounds check the values */
-		if (/* end of source after end of data?? */
-			((src+count) > self->size)
-			/* dest will fit? */
-			|| (dest+count > self->size)) {
+		unsigned long pos = src > dest ? src : dest;
+		if (self->size >= pos && count > self->size - pos) {
 			PyErr_SetString(PyExc_ValueError,
 					"source or destination out of range");
 			return NULL;