diff -r 37f4aa15a1c6 Modules/_codecsmodule.c --- a/Modules/_codecsmodule.c Sun Sep 30 02:22:50 2012 -0700 +++ b/Modules/_codecsmodule.c Sun Sep 30 19:37:14 2012 +0300 @@ -177,12 +177,12 @@ return NULL; size = PyBytes_GET_SIZE(str); - newsize = 4*size; - if (newsize > PY_SSIZE_T_MAX || newsize / 4 != size) { + if (size > PY_SSIZE_T_MAX / 4) { PyErr_SetString(PyExc_OverflowError, "string is too large to encode"); return NULL; } + newsize = 4*size; v = PyBytes_FromStringAndSize(NULL, newsize); if (v == NULL) { diff -r 37f4aa15a1c6 Modules/_datetimemodule.c --- a/Modules/_datetimemodule.c Sun Sep 30 02:22:50 2012 -0700 +++ b/Modules/_datetimemodule.c Sun Sep 30 19:37:14 2012 +0300 @@ -1265,14 +1265,13 @@ assert(ptoappend != NULL); assert(ntoappend > 0); while (usednew + ntoappend > totalnew) { - size_t bigger = totalnew << 1; - if ((bigger >> 1) != totalnew) { /* overflow */ + if (totalnew > (PY_SSIZE_T_MAX >> 1)) { /* overflow */ PyErr_NoMemory(); goto Done; } - if (_PyBytes_Resize(&newfmt, bigger) < 0) + totalnew <<= 1; + if (_PyBytes_Resize(&newfmt, totalnew) < 0) goto Done; - totalnew = bigger; pnew = PyBytes_AsString(newfmt) + usednew; } memcpy(pnew, ptoappend, ntoappend); diff -r 37f4aa15a1c6 Modules/_randommodule.c --- a/Modules/_randommodule.c Sun Sep 30 02:22:50 2012 -0700 +++ b/Modules/_randommodule.c Sun Sep 30 19:37:14 2012 +0300 @@ -284,7 +284,8 @@ n = newn; if (keyused >= keymax) { unsigned long bigger = keymax << 1; - if ((bigger >> 1) != keymax) { + if ((bigger >> 1) != keymax || + bigger > PY_SSIZE_T_MAX / sizeof(*key)) { PyErr_NoMemory(); goto Done; } diff -r 37f4aa15a1c6 Modules/arraymodule.c --- a/Modules/arraymodule.c Sun Sep 30 02:22:50 2012 -0700 +++ b/Modules/arraymodule.c Sun Sep 30 19:37:14 2012 +0300 @@ -483,11 +483,11 @@ return NULL; } - nbytes = size * descr->itemsize; /* Check for overflow */ - if (nbytes / descr->itemsize != (size_t)size) { + if (size > PY_SSIZE_T_MAX / descr->itemsize) { return PyErr_NoMemory(); } + nbytes = size * descr->itemsize; op = (arrayobject *) type->tp_alloc(type, 0); if (op == NULL) { return NULL; @@ -1251,11 +1251,15 @@ if (!PyArg_ParseTuple(args, "On:fromfile", &f, &n)) return NULL; - nbytes = n * itemsize; - if (nbytes < 0 || nbytes/itemsize != n) { + if (n < 0) { + PyErr_SetString(PyExc_ValueError, "negative count"); + return NULL; + } + if (n > PY_SSIZE_T_MAX / itemsize) { PyErr_NoMemory(); return NULL; } + nbytes = n * itemsize; b = _PyObject_CallMethodId(f, &PyId_read, "n", nbytes); if (b == NULL) diff -r 37f4aa15a1c6 Modules/audioop.c --- a/Modules/audioop.c Sun Sep 30 02:22:50 2012 -0700 +++ b/Modules/audioop.c Sun Sep 30 19:37:14 2012 +0300 @@ -1108,8 +1108,7 @@ PyErr_SetString(AudioopError, "# of channels should be >= 1"); return NULL; } - bytes_per_frame = size * nchannels; - if (bytes_per_frame / nchannels != size) { + if (size > INT_MAX / nchannels) { /* This overflow test is rigorously correct because both multiplicands are >= 1. Use the argument names from the docs for the error msg. */ @@ -1117,6 +1116,7 @@ "width * nchannels too big for a C int"); return NULL; } + bytes_per_frame = size * nchannels; if (weightA < 1 || weightB < 0) { PyErr_SetString(AudioopError, "weightA should be >= 1, weightB should be >= 0"); diff -r 37f4aa15a1c6 Objects/longobject.c --- a/Objects/longobject.c Sun Sep 30 02:22:50 2012 -0700 +++ b/Objects/longobject.c Sun Sep 30 19:37:14 2012 +0300 @@ -668,10 +668,9 @@ assert(ndigits == 0 || v->ob_digit[ndigits - 1] != 0); if (ndigits > 0) { digit msd = v->ob_digit[ndigits - 1]; - - result = (ndigits - 1) * PyLong_SHIFT; - if (result / PyLong_SHIFT != (size_t)(ndigits - 1)) + if ((size_t)(ndigits - 1) > PY_SIZE_MAX / (size_t)PyLong_SHIFT) goto Overflow; + result = (size_t)(ndigits - 1) * (size_t)PyLong_SHIFT; do { ++result; if (result == 0) diff -r 37f4aa15a1c6 Objects/tupleobject.c --- a/Objects/tupleobject.c Sun Sep 30 02:22:50 2012 -0700 +++ b/Objects/tupleobject.c Sun Sep 30 19:37:14 2012 +0300 @@ -96,15 +96,11 @@ else #endif { - Py_ssize_t nbytes = size * sizeof(PyObject *); /* Check for overflow */ - if (nbytes / sizeof(PyObject *) != (size_t)size || - (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) - sizeof(PyObject *))) - { + if (size > (PY_SSIZE_T_MAX - sizeof(PyTupleObject) - + sizeof(PyObject *)) / sizeof(PyObject *)) { return PyErr_NoMemory(); } - /* nbytes += sizeof(PyTupleObject) - sizeof(PyObject *); */ - op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size); if (op == NULL) return NULL; @@ -482,7 +478,7 @@ return PyTuple_New(0); } size = Py_SIZE(a) * n; - if (size/Py_SIZE(a) != n) + if (n > PY_SSIZE_T_MAX / Py_SIZE(a)) return PyErr_NoMemory(); np = (PyTupleObject *) PyTuple_New(size); if (np == NULL) diff -r 37f4aa15a1c6 Objects/unicodeobject.c --- a/Objects/unicodeobject.c Sun Sep 30 02:22:50 2012 -0700 +++ b/Objects/unicodeobject.c Sun Sep 30 19:37:14 2012 +0300 @@ -4492,7 +4492,6 @@ void *data; Py_ssize_t len; PyObject *v; - Py_ssize_t allocated; int inShift = 0; Py_ssize_t i; unsigned int base64bits = 0; @@ -4510,11 +4509,9 @@ return PyBytes_FromStringAndSize(NULL, 0); /* It might be possible to tighten this worst case */ - allocated = 8 * len; - if (allocated / 8 != len) + if (len > PY_SSIZE_T_MAX / 8) return PyErr_NoMemory(); - - v = PyBytes_FromStringAndSize(NULL, allocated); + v = PyBytes_FromStringAndSize(NULL, len * 8); if (v == NULL) return NULL; @@ -5092,7 +5089,7 @@ Py_ssize_t len; PyObject *v; unsigned char *p; - Py_ssize_t nsize, bytesize, i; + Py_ssize_t nsize, i; /* Offsets from p for storing byte pairs in the right order. */ #ifdef BYTEORDER_IS_LITTLE_ENDIAN int iorder[] = {0, 1, 2, 3}; @@ -5120,10 +5117,9 @@ len = PyUnicode_GET_LENGTH(str); nsize = len + (byteorder == 0); - bytesize = nsize * 4; - if (bytesize / 4 != nsize) + if (nsize > PY_SSIZE_T_MAX / 4) return PyErr_NoMemory(); - v = PyBytes_FromStringAndSize(NULL, bytesize); + v = PyBytes_FromStringAndSize(NULL, nsize * 4); if (v == NULL) return NULL; @@ -10165,7 +10161,7 @@ } else { Py_ssize_t n, i, j, ires; - Py_ssize_t product, new_size; + Py_ssize_t new_size; int rkind = skind; char *res; @@ -10197,19 +10193,18 @@ } /* new_size = PyUnicode_GET_LENGTH(self) + n * (PyUnicode_GET_LENGTH(str2) - PyUnicode_GET_LENGTH(str1))); */ - product = n * (len2-len1); - if ((product / (len2-len1)) != n) { + if (len2 > len1 && len2 - len1 > (PY_SSIZE_T_MAX - slen) / n) { PyErr_SetString(PyExc_OverflowError, "replace string is too long"); goto error; } - new_size = slen + product; + new_size = slen + n * (len2 - len1); if (new_size == 0) { Py_INCREF(unicode_empty); u = unicode_empty; goto done; } - if (new_size < 0 || new_size > (PY_SSIZE_T_MAX >> (rkind-1))) { + if (new_size > (PY_SSIZE_T_MAX >> (rkind-1))) { PyErr_SetString(PyExc_OverflowError, "replace string is too long"); goto error;