ultimatecoder
diff --git a/‎Include/pymem.h
+8-4 b/‎Include/pymem.h
+8-4
diff --git a/‎Include/pyport.h
+11 b/‎Include/pyport.h
+11
diff --git a/‎Misc/NEWS
+13 b/‎Misc/NEWS
+13
diff --git a/‎Modules/_csv.c
+10 b/‎Modules/_csv.c
+10
diff --git a/‎Modules/arraymodule.c
+33-1 b/‎Modules/arraymodule.c
+33-1
diff --git a/‎Modules/audioop.c
+44-12 b/‎Modules/audioop.c
+44-12
@@ -86,14 +86,18 @@ PyAPI_FUNC(void) PyMem_Free(void *);
  */
 
 #define PyMem_New(type, n) \
-	( (type *) PyMem_Malloc((n) * sizeof(type)) )
+  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+	( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
 #define PyMem_NEW(type, n) \
-	( (type *) PyMem_MALLOC((n) * sizeof(type)) )
+  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+	( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
 
 #define PyMem_Resize(p, type, n) \
-	( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) )
+  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+	( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
 #define PyMem_RESIZE(p, type, n) \
-	( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
+  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+	( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
 
 /* In order to avoid breaking old code mixing PyObject_{New, NEW} with
    PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory"
 
@@ -554,6 +554,17 @@ typedef	struct fd_set {
 #error "LONG_BIT definition appears wrong for platform (bad gcc/glibc config?)."
 #endif
 
+/* Largest possible value of size_t.
+   SIZE_MAX is part of C99, so it might be defined on some
+   platforms. If it is not defined, (size_t)-1 is a portable
+   definition for C89, due to the way signed->unsigned 
+   conversion is defined. */
+#ifdef SIZE_MAX
+#define PY_SIZE_MAX SIZE_MAX
+#else
+#define PY_SIZE_MAX ((size_t)-1)
+#endif
+
 #ifdef __cplusplus
 }
 #endif
 
@@ -4,6 +4,19 @@ Python News
 
 (editors: check NEWS.help for information about editing NEWS using ReST.)
 
+What's New in Python 2.3.7c1?
+===========================
+
+*Release date: 02-Mar-2008*
+
+Core and builtins
+-----------------
+
+- Added checks for integer overflows, contributed by Google. Some are
+  only available if asserts are left in the code, in cases where they
+  can't be triggered from Python code.
+
+
 What's New in Python 2.3.6?
 ===========================
 
 
@@ -470,6 +470,10 @@ parse_grow_buff(ReaderObj *self)
 		self->field = PyMem_Malloc(self->field_size);
 	}
 	else {
+		if (self->field_size > INT_MAX / 2) {
+			PyErr_NoMemory();
+			return 0;
+		} 
 		self->field_size *= 2;
 		self->field = PyMem_Realloc(self->field, self->field_size);
 	}
@@ -1003,6 +1007,12 @@ join_append_data(WriterObj *self, char *field, int quote_empty,
 static int
 join_check_rec_size(WriterObj *self, int rec_len)
 {
+
+	if (rec_len < 0 || rec_len > INT_MAX - MEM_INCR) {
+		PyErr_NoMemory();
+		return 0;
+	}
+
 	if (rec_len > self->rec_size) {
 		if (self->rec_size == 0) {
 			self->rec_size = (rec_len / MEM_INCR + 1) * MEM_INCR;
 
@@ -632,6 +632,9 @@ array_concat(arrayobject *a, PyObject *bb)
 		PyErr_BadArgument();
 		return NULL;
 	}
+	if (a->ob_size > INT_MAX - b->ob_size) {
+		return PyErr_NoMemory();
+	}
 	size = a->ob_size + b->ob_size;
 	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);
 	if (np == NULL) {
@@ -654,6 +657,9 @@ array_repeat(arrayobject *a, int n)
 	int nbytes;
 	if (n < 0)
 		n = 0;
+	if ((a->ob_size != 0) && (n > INT_MAX / a->ob_size)) {
+		return PyErr_NoMemory();
+	}
 	size = a->ob_size * n;
 	np = (arrayobject *) newarrayobject(&Arraytype, size, a->ob_descr);
 	if (np == NULL)
@@ -775,6 +781,11 @@ array_do_extend(arrayobject *self, PyObject *bb)
 			     "can only extend with array of same kind");
 		return -1;
 	}
+	if ((self->ob_size > INT_MAX - b->ob_size) ||
+		((self->ob_size + b->ob_size) > INT_MAX / self->ob_descr->itemsize)) {
+			PyErr_NoMemory();
+			return -1;
+	}
 	size = self->ob_size + b->ob_size;
         PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);
         if (self->ob_item == NULL) {
@@ -809,13 +820,20 @@ array_inplace_repeat(arrayobject *self, int n)
 		if (n < 0)
 			n = 0;
 		items = self->ob_item;
+		if ((self->ob_descr->itemsize != 0) && 
+			(self->ob_size > INT_MAX / self->ob_descr->itemsize)) {
+			return PyErr_NoMemory();
+		}
 		size = self->ob_size * self->ob_descr->itemsize;
 		if (n == 0) {
 			PyMem_FREE(items);
 			self->ob_item = NULL;
 			self->ob_size = 0;
 		}
 		else {
+			if (size > INT_MAX / n) {
+				return PyErr_NoMemory();
+			}
 			PyMem_Resize(items, char, n * size);
 			if (items == NULL)
 				return PyErr_NoMemory();
@@ -1224,6 +1242,9 @@ array_fromlist(arrayobject *self, PyObject *list)
 			if ((*self->ob_descr->setitem)(self,
 					self->ob_size - n + i, v) != 0) {
 				self->ob_size -= n;
+				if (itemsize && (self->ob_size > INT_MAX / itemsize)) {
+					return PyErr_NoMemory();
+				}
 				PyMem_RESIZE(item, char,
 					          self->ob_size * itemsize);
 				self->ob_item = item;
@@ -1282,6 +1303,10 @@ array_fromstring(arrayobject *self, PyObject *args)
 	n = n / itemsize;
 	if (n > 0) {
 		char *item = self->ob_item;
+		if ((n > INT_MAX - self->ob_size) ||
+			((self->ob_size + n) > INT_MAX / itemsize)) {
+				return PyErr_NoMemory();
+		}
 		PyMem_RESIZE(item, char, (self->ob_size + n) * itemsize);
 		if (item == NULL) {
 			PyErr_NoMemory();
@@ -1306,8 +1331,12 @@ values,as if it had been read from a file using the fromfile() method).");
 static PyObject *
 array_tostring(arrayobject *self, PyObject *unused)
 {
-	return PyString_FromStringAndSize(self->ob_item,
+	if (self->ob_size <= INT_MAX / self->ob_descr->itemsize) {
+		return PyString_FromStringAndSize(self->ob_item,
 				    self->ob_size * self->ob_descr->itemsize);
+	} else {
+		return PyErr_NoMemory();
+	}
 }
 
 PyDoc_STRVAR(tostring_doc,
@@ -1335,6 +1364,9 @@ array_fromunicode(arrayobject *self, PyObject *args)
 	}
 	if (n > 0) {
 		Py_UNICODE *item = (Py_UNICODE *) self->ob_item;
+		if (self->ob_size > INT_MAX - n) {
+			return PyErr_NoMemory();
+		}
 		PyMem_RESIZE(item, Py_UNICODE, self->ob_size + n);
 		if (item == NULL) {
 			PyErr_NoMemory();
 
@@ -674,7 +674,7 @@ static PyObject *
 audioop_tostereo(PyObject *self, PyObject *args)
 {
 	signed char *cp, *ncp;
-	int len, size, val1, val2, val = 0;
+	int len, new_len, size, val1, val2, val = 0;
 	double fac1, fac2, fval, maxval;
 	PyObject *rv;
 	int i;
@@ -690,7 +690,14 @@ audioop_tostereo(PyObject *self, PyObject *args)
 		return 0;
 	}
 
-	rv = PyString_FromStringAndSize(NULL, len*2);
+	new_len = len*2;
+	if (new_len < 0) {
+		PyErr_SetString(PyExc_MemoryError,
+				"not enough memory for output buffer");
+		return 0;
+	}
+
+	rv = PyString_FromStringAndSize(NULL, new_len);
 	if ( rv == 0 )
 		return 0;
 	ncp = (signed char *)PyString_AsString(rv);
@@ -853,7 +860,7 @@ audioop_lin2lin(PyObject *self, PyObject *args)
 {
 	signed char *cp;
 	unsigned char *ncp;
-	int len, size, size2, val = 0;
+	int len, new_len, size, size2, val = 0;
 	PyObject *rv;
 	int i, j;
 
@@ -867,7 +874,13 @@ audioop_lin2lin(PyObject *self, PyObject *args)
 		return 0;
 	}
 
-	rv = PyString_FromStringAndSize(NULL, (len/size)*size2);
+	new_len = (len/size)*size2;
+	if (new_len < 0) {
+		PyErr_SetString(PyExc_MemoryError,
+				"not enough memory for output buffer");
+		return 0;
+	}
+	rv = PyString_FromStringAndSize(NULL, new_len);
 	if ( rv == 0 )
 		return 0;
 	ncp = (unsigned char *)PyString_AsString(rv);
@@ -903,6 +916,7 @@ audioop_ratecv(PyObject *self, PyObject *args)
 	int chan, d, *prev_i, *cur_i, cur_o;
 	PyObject *state, *samps, *str, *rv = NULL;
 	int bytes_per_frame;
+	size_t alloc_size;
 
 	weightA = 1;
 	weightB = 0;
@@ -944,8 +958,14 @@ audioop_ratecv(PyObject *self, PyObject *args)
 	inrate /= d;
 	outrate /= d;
 
-	prev_i = (int *) malloc(nchannels * sizeof(int));
-	cur_i = (int *) malloc(nchannels * sizeof(int));
+	alloc_size = sizeof(int) * (unsigned)nchannels;
+	if (alloc_size < nchannels) {
+		PyErr_SetString(PyExc_MemoryError,
+				"not enough memory for output buffer");
+		return 0;
+	}
+	prev_i = (int *) malloc(alloc_size);
+	cur_i = (int *) malloc(alloc_size);
 	if (prev_i == NULL || cur_i == NULL) {
 		(void) PyErr_NoMemory();
 		goto exit;
@@ -1114,7 +1134,7 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
 	unsigned char *cp;
 	unsigned char cval;
 	signed char *ncp;
-	int len, size, val;
+	int len, new_len, size, val;
 	PyObject *rv;
 	int i;
 
@@ -1127,12 +1147,18 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
 		return 0;
 	}
 
-	rv = PyString_FromStringAndSize(NULL, len*size);
+	new_len = len*size;
+	if (new_len < 0) {
+		PyErr_SetString(PyExc_MemoryError,
+			"not enough memory for output buffer");
+		return 0;
+	}
+	rv = PyString_FromStringAndSize(NULL, new_len);
 	if ( rv == 0 )
 		return 0;
 	ncp = (signed char *)PyString_AsString(rv);
 
-	for ( i=0; i < len*size; i += size ) {
+	for ( i=0; i < new_len; i += size ) {
 		cval = *cp++;
 		val = st_ulaw_to_linear(cval);
 
@@ -1257,7 +1283,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
 {
 	signed char *cp;
 	signed char *ncp;
-	int len, size, valpred, step, delta, index, sign, vpdiff;
+	int len, new_len, size, valpred, step, delta, index, sign, vpdiff;
 	PyObject *rv, *str, *state;
 	int i, inputbuffer = 0, bufferstep;
 
@@ -1279,15 +1305,21 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
 	} else if ( !PyArg_Parse(state, "(ii)", &valpred, &index) )
 		return 0;
 
-	str = PyString_FromStringAndSize(NULL, len*size*2);
+	new_len = len*size*2;
+	if (new_len < 0) {
+		PyErr_SetString(PyExc_MemoryError,
+				"not enough memory for output buffer");
+		return 0;
+	}
+	str = PyString_FromStringAndSize(NULL, new_len);
 	if ( str == 0 )
 		return 0;
 	ncp = (signed char *)PyString_AsString(str);
 
 	step = stepsizeTable[index];
 	bufferstep = 0;
 
-	for ( i=0; i < len*size*2; i += size ) {
+	for ( i=0; i < new_len; i += size ) {
 		/* Step 1 - get the delta value and compute next index */
 		if ( bufferstep ) {
 			delta = inputbuffer & 0xf;