@@ -68,10 +68,10 @@ multiply_resolve_descriptors(
6868 } \
6969 npy_##shortname factor = *(npy_##shortname *)iin; \
7070 size_t cursize = is.size; \
71- /* FIXME: check for overflow? */ \
7271 size_t newsize = cursize * factor; \
73- \
74- if (npy_string_newemptysize (newsize , ops ) < 0 ) { \
72+ /* newsize can only be less than cursize if there is overflow */ \
73+ if (((newsize < cursize ) || \
74+ npy_string_newemptysize (newsize , ops ) < 0 )) { \
7575 gil_error (PyExc_MemoryError , \
7676 "Failed to allocate string in string mutiply" ); \
7777 return -1 ; \
@@ -81,6 +81,8 @@ multiply_resolve_descriptors(
8181 npy_load_string (ops , & os ); \
8282 for (size_t i = 0 ; i < (size_t )factor ; i ++ ) { \
8383 /* excplicitly discard const; initializing new buffer */ \
84+ /* multiply can't overflow because cursize * factor */ \
85+ /* has already been checked and doesn't overflow */ \
8486 memcpy ((char * )os .buf + i * cursize , is .buf , cursize ); \
8587 } \
8688 \
@@ -245,6 +247,12 @@ add_strided_loop(PyArrayMethod_Context *context, char *const data[],
245247 }
246248 }
247249
250+ if ((s1 .size + s2 .size ) < s1 .size ) {
251+ // overflow
252+ gil_error (PyExc_MemoryError ,
253+ "Failed to allocate string in string add" );
254+ }
255+
248256 if (npy_string_newemptysize (s1 .size + s2 .size , ops ) < 0 ) {
249257 return -1 ;
250258 }
0 commit comments