py/objdeque: Protect against negative maxlen in deque constructor.

Otherwise passing -1 as maxlen will lead to a zero allocation and subsequent unbound buffer overflow in deque.append() because i_put is allowed to grow without bound.
author: Damien George <damien.p.george@gmail.com> 2018-02-21 23:34:17 +1100
committer: Damien George <damien.p.george@gmail.com> 2018-02-21 23:34:17 +1100
commit: 160d6708684de8c71895f90bc699a5879fb6ed29 (patch)
tree: ad45452d4a64c7e6fe1e50ccdb8af5125b96828c /py
parent: 8f9b113be25bec821254027e3e3d634f20553226 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/py/objdeque.c b/py/objdeque.c
index a4c42c31f..573a48baf 100644
--- a/py/objdeque.c
+++ b/py/objdeque.c
@@ -50,9 +50,15 @@ STATIC mp_obj_t deque_make_new(const mp_obj_type_t *type, size_t n_args, size_t
         mp_raise_ValueError(NULL);
     }
 
+    // Protect against -1 leading to zero-length allocation and bad array access
+    mp_int_t maxlen = mp_obj_get_int(args[1]);
+    if (maxlen < 0) {
+        mp_raise_ValueError(NULL);
+    }
+
     mp_obj_deque_t *o = m_new_obj(mp_obj_deque_t);
     o->base.type = type;
-    o->alloc = mp_obj_get_int(args[1]) + 1;
+    o->alloc = maxlen + 1;
     o->i_get = o->i_put = 0;
     o->items = m_new(mp_obj_t, o->alloc);
     mp_seq_clear(o->items, 0, o->alloc, sizeof(*o->items));
author	Damien George <damien.p.george@gmail.com>	2018-02-21 23:34:17 +1100
committer	Damien George <damien.p.george@gmail.com>	2018-02-21 23:34:17 +1100
commit	160d6708684de8c71895f90bc699a5879fb6ed29 (patch)
tree	ad45452d4a64c7e6fe1e50ccdb8af5125b96828c /py
parent	8f9b113be25bec821254027e3e3d634f20553226 (diff)