Skip to content

Commit 07bd45d

Browse files
committed
Fix integer overflows in PyObject_CopyData buffer API
1 parent 7fb315b commit 07bd45d

2 files changed

Lines changed: 14 additions & 2 deletions

File tree

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Fix potential integer overflows in PyObject_CopyData when processing multi-dimensional buffers with exceptionally large dimensions or shapes.

Objects/abstract.c

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -718,7 +718,12 @@ int PyObject_CopyData(PyObject *dest, PyObject *src)
718718

719719
/* Otherwise a more elaborate copy scheme is needed */
720720

721-
/* XXX(nnorwitz): need to check for overflow! */
721+
if ((size_t)view_src.ndim > (size_t)PyBUF_MAX_NDIM) {
722+
PyErr_SetString(PyExc_BufferError, "invalid ndim");
723+
PyBuffer_Release(&view_dest);
724+
PyBuffer_Release(&view_src);
725+
return -1;
726+
}
722727
indices = (Py_ssize_t *)PyMem_Malloc(sizeof(Py_ssize_t)*view_src.ndim);
723728
if (indices == NULL) {
724729
PyErr_NoMemory();
@@ -731,7 +736,13 @@ int PyObject_CopyData(PyObject *dest, PyObject *src)
731736
}
732737
elements = 1;
733738
for (k=0; k<view_src.ndim; k++) {
734-
/* XXX(nnorwitz): can this overflow? */
739+
if (view_src.shape[k] != 0 && elements > PY_SSIZE_T_MAX / view_src.shape[k]) {
740+
PyMem_Free(indices);
741+
PyBuffer_Release(&view_dest);
742+
PyBuffer_Release(&view_src);
743+
PyErr_SetString(PyExc_BufferError, "buffer is too large");
744+
return -1;
745+
}
735746
elements *= view_src.shape[k];
736747
}
737748
while (elements--) {

0 commit comments

Comments
 (0)