bpo-35090: Fix potential division by zero in allocator wrappers (GH-10174)

Alexey Izbyshev · vstinner · commit 3d4fabb2a424 · 2018-10-28T17:45:50.000+01:00
* Fix potential division by zero in BZ2_Malloc()
* Avoid division by zero in PyLzma_Malloc()
* Avoid division by zero and integer overflow in PyZlib_Malloc()

Reported by Svace static analyzer.
diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
@@ -277,11 +277,11 @@ BZ2_Malloc(void* ctx, int items, int size)
 {
     if (items < 0 || size < 0)
         return NULL;
-    if ((size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size)
+    if (size != 0 && (size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size)
         return NULL;
     /* PyMem_Malloc() cannot be used: compress() and decompress()
        release the GIL */
-    return PyMem_RawMalloc(items * size);
+    return PyMem_RawMalloc((size_t)items * (size_t)size);
 }
 
 static void
diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
@@ -108,7 +108,7 @@ catch_lzma_error(lzma_ret lzret)
 static void*
 PyLzma_Malloc(void *opaque, size_t items, size_t size)
 {
-    if (items > (size_t)PY_SSIZE_T_MAX / size)
+    if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size)
         return NULL;
     /* PyMem_Malloc() cannot be used:
        the GIL is not held when lzma_code() is called */
diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
@@ -117,11 +117,11 @@ newcompobject(PyTypeObject *type)
 static void*
 PyZlib_Malloc(voidpf ctx, uInt items, uInt size)
 {
-    if (items > (size_t)PY_SSIZE_T_MAX / size)
+    if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size)
         return NULL;
     /* PyMem_Malloc() cannot be used: the GIL is not held when
        inflate() and deflate() are called */
-    return PyMem_RawMalloc(items * size);
+    return PyMem_RawMalloc((size_t)items * (size_t)size);
 }
 
 static void

Original file line number	Diff line number	Diff line change
`@@ -277,11 +277,11 @@ BZ2_Malloc(void* ctx, int items, int size)`
`277`	`277`	`{`
`278`	`278`	`if (items < 0 \|\| size < 0)`
`279`	`279`	`return NULL;`
`280`		`- if ((size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size)`
	`280`	`+ if (size != 0 && (size_t)items > (size_t)PY_SSIZE_T_MAX / (size_t)size)`
`281`	`281`	`return NULL;`
`282`	`282`	`/* PyMem_Malloc() cannot be used: compress() and decompress()`
`283`	`283`	`release the GIL */`
`284`		`- return PyMem_RawMalloc(items * size);`
	`284`	`+ return PyMem_RawMalloc((size_t)items * (size_t)size);`
`285`	`285`	`}`
`286`	`286`
`287`	`287`	`static void`
Original file line number	Diff line number	Diff line change
`@@ -108,7 +108,7 @@ catch_lzma_error(lzma_ret lzret)`
`108`	`108`	`static void*`
`109`	`109`	`PyLzma_Malloc(void *opaque, size_t items, size_t size)`
`110`	`110`	`{`
`111`		`- if (items > (size_t)PY_SSIZE_T_MAX / size)`
	`111`	`+ if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size)`
`112`	`112`	`return NULL;`
`113`	`113`	`/* PyMem_Malloc() cannot be used:`
`114`	`114`	`the GIL is not held when lzma_code() is called */`
Original file line number	Diff line number	Diff line change
`@@ -117,11 +117,11 @@ newcompobject(PyTypeObject *type)`
`117`	`117`	`static void*`
`118`	`118`	`PyZlib_Malloc(voidpf ctx, uInt items, uInt size)`
`119`	`119`	`{`
`120`		`- if (items > (size_t)PY_SSIZE_T_MAX / size)`
	`120`	`+ if (size != 0 && items > (size_t)PY_SSIZE_T_MAX / size)`
`121`	`121`	`return NULL;`
`122`	`122`	`/* PyMem_Malloc() cannot be used: the GIL is not held when`
`123`	`123`	`inflate() and deflate() are called */`
`124`		`- return PyMem_RawMalloc(items * size);`
	`124`	`+ return PyMem_RawMalloc((size_t)items * (size_t)size);`
`125`	`125`	`}`
`126`	`126`
`127`	`127`	`static void`