diff -r ef03369385ba Modules/_elementtree.c --- a/Modules/_elementtree.c Fri Nov 22 00:46:18 2013 +0100 +++ b/Modules/_elementtree.c Fri Nov 22 01:01:01 2013 +0100 @@ -929,8 +929,14 @@ nchildren = 0; } + /* expat limits nchildren to int */ + if (nchildren > INT_MAX) { + PyErr_SetString(PyExc_OverflowError, "too many children"); + return NULL; + } + /* Allocate 'extra'. */ - if (element_resize(self, nchildren)) { + if (element_resize(self, (int)nchildren)) { return NULL; } assert(self->extra && self->extra->allocated >= nchildren); @@ -941,8 +947,8 @@ Py_INCREF(self->extra->children[i]); } - self->extra->length = nchildren; - self->extra->allocated = nchildren; + self->extra->length = (int)nchildren; + self->extra->allocated = (int)nchildren; /* Stash attrib. */ if (attrib) { @@ -1495,6 +1501,7 @@ "child assignment index out of range"); return -1; } + /* now index must be smaller than INT_MAX */ old = self->extra->children[index]; @@ -1503,7 +1510,7 @@ self->extra->children[index] = item; } else { self->extra->length--; - for (i = index; i < self->extra->length; i++) + for (i = (int)index; i < self->extra->length; i++) self->extra->children[i] = self->extra->children[i+1]; } @@ -3439,6 +3446,7 @@ PyObject* buffer; PyObject* temp; PyObject* res; + Py_ssize_t bufsize; PyObject* fileobj; if (!PyArg_ParseTuple(args, "O:_parse", &fileobj)) @@ -3479,9 +3487,16 @@ break; } - res = expat_parse( - self, PyBytes_AS_STRING(buffer), PyBytes_GET_SIZE(buffer), 0 - ); + bufsize = PyBytes_GET_SIZE(buffer); + if (bufsize > INT_MAX) { + Py_DECREF(buffer); + Py_DECREF(reader); + PyErr_SetString(PyExc_OverflowError, + "read() has returned too much data."); + return NULL; + } + + res = expat_parse(self, PyBytes_AS_STRING(buffer), (int)bufsize, 0); Py_DECREF(buffer);