From 34d79c1c99b0baf3357507245e0f0419297ea4e2 Mon Sep 17 00:00:00 2001
From: "Dwayne C. Litzenberger" <dlitz@dlitz.net>
Date: Sat, 18 Feb 2012 12:35:23 -0500
Subject: [PATCH 1/3] Fix segfaults & reference leaks in error-handling

These bugs are likely only triggered during out-of-memory conditions.  The bug
report is at:

    https://bugs.launchpad.net/pycrypto/+bug/934294

These were found by Dave Malcolm's experimental static analysis tool:

    http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2012-02-14/python-crypto-2.5-1.fc17/

See also:

    https://fedorahosted.org/gcc-python-plugin/
    http://gcc-python-plugin.readthedocs.org/en/latest/cpychecker.html
---
 src/_fastmath.c |   68 ++++++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 58 insertions(+), 10 deletions(-)

diff --git a/src/_fastmath.c b/src/_fastmath.c
index 6af1f05..c0f8c4e 100644
--- a/src/_fastmath.c
+++ b/src/_fastmath.c
@@ -466,6 +466,8 @@ dsaKey_new (PyObject * self, PyObject * args)
 		return NULL;
 
 	key = PyObject_New (dsaKey, &dsaKeyType);
+	if (key == NULL)
+		return NULL;
 	mpz_init (key->y);
 	mpz_init (key->g);
 	mpz_init (key->p);
@@ -552,7 +554,7 @@ dsaKey_getattr (dsaKey * key, char *attr)
 static PyObject *
 dsaKey__sign (dsaKey * key, PyObject * args)
 {
-	PyObject *lm, *lk, *lr, *ls;
+	PyObject *lm, *lk, *lr, *ls, *retval;
 	mpz_t m, k, r, s;
 	int result;
 	if (!PyArg_ParseTuple (args, "O!O!", &PyLong_Type, &lm,
@@ -574,11 +576,19 @@ dsaKey__sign (dsaKey * key, PyObject * args)
 	}
 	lr = mpzToLongObj (r);
 	ls = mpzToLongObj (s);
+	if (lr == NULL || ls == NULL) goto errout;
 	mpz_clear (m);
 	mpz_clear (k);
 	mpz_clear (r);
 	mpz_clear (s);
-	return Py_BuildValue ("(NN)", lr, ls);
+	retval = Py_BuildValue ("(NN)", lr, ls);
+	if (retval == NULL) goto errout;
+	return retval;
+
+errout:
+	Py_XDECREF(lr);
+	Py_XDECREF(ls);
+	return NULL;
 }
 
 static PyObject *
@@ -703,6 +713,8 @@ rsaKey_new (PyObject * self, PyObject * args)
 		return NULL;
 
 	key = PyObject_New (rsaKey, &rsaKeyType);
+	if (key == NULL)
+		return NULL;
 	mpz_init (key->n);
 	mpz_init (key->e);
 	mpz_init (key->d);
@@ -838,7 +850,7 @@ rsaKey_getattr (rsaKey * key, char *attr)
 static PyObject *
 rsaKey__encrypt (rsaKey * key, PyObject * args)
 {
-	PyObject *l, *r;
+	PyObject *l, *r, *retval;
 	mpz_t v;
 	int result;
 	if (!PyArg_ParseTuple (args, "O!", &PyLong_Type, &l))
@@ -854,14 +866,20 @@ rsaKey__encrypt (rsaKey * key, PyObject * args)
 		return NULL;
 	}
 	r = (PyObject *) mpzToLongObj (v);
+	if (r == NULL) return NULL;
 	mpz_clear (v);
-	return Py_BuildValue ("N", r);
+	retval = Py_BuildValue ("N", r);
+	if (retval == NULL) {
+		Py_DECREF(r);
+		return NULL;
+	}
+	return retval;
 }
 
 static PyObject *
 rsaKey__decrypt (rsaKey * key, PyObject * args)
 {
-	PyObject *l, *r;
+	PyObject *l, *r, *retval;
 	mpz_t v;
 	int result;
 	if (!PyArg_ParseTuple (args, "O!", &PyLong_Type, &l))
@@ -884,8 +902,14 @@ rsaKey__decrypt (rsaKey * key, PyObject * args)
 		return NULL;
 	}
 	r = mpzToLongObj (v);
+	if (r == NULL) return NULL;
 	mpz_clear (v);
-	return Py_BuildValue ("N", r);
+	retval = Py_BuildValue ("N", r);
+	if (retval == NULL) {
+		Py_DECREF(r);
+		return NULL;
+	}
+	return retval;
 }
 
 static PyObject *
@@ -916,7 +940,7 @@ rsaKey__verify (rsaKey * key, PyObject * args)
 static PyObject *
 rsaKey__blind (rsaKey * key, PyObject * args)
 {
-	PyObject *l, *lblind, *r;
+	PyObject *l, *lblind, *r, *retval;
 	mpz_t v, vblind;
 	int result;
 	if (!PyArg_ParseTuple (args, "O!O!", &PyLong_Type, &l, 
@@ -940,15 +964,22 @@ rsaKey__blind (rsaKey * key, PyObject * args)
 			return NULL;
 		}
 	r = (PyObject *) mpzToLongObj (v);
+	if (r == NULL)
+		return NULL;
 	mpz_clear (v);
 	mpz_clear (vblind);
-	return Py_BuildValue ("N", r);
+	retval = Py_BuildValue ("N", r);
+	if (retval == NULL) {
+		Py_DECREF(r);
+		return NULL;
+	}
+	return retval;
 }
 
 static PyObject *
 rsaKey__unblind (rsaKey * key, PyObject * args)
 {
-	PyObject *l, *lblind, *r;
+	PyObject *l, *lblind, *r, *retval;
 	mpz_t v, vblind;
 	int result;
 	if (!PyArg_ParseTuple (args, "O!O!", &PyLong_Type, &l, 
@@ -977,9 +1008,15 @@ rsaKey__unblind (rsaKey * key, PyObject * args)
 			return NULL;
 		}
 	r = (PyObject *) mpzToLongObj (v);
+	if (r == NULL) return NULL;
 	mpz_clear (v);
 	mpz_clear (vblind);
-	return Py_BuildValue ("N", r);
+	retval = Py_BuildValue ("N", r);
+	if (retval == NULL) {
+		Py_DECREF(r);
+		return NULL;
+	}
+	return retval;
 }
 
 static PyObject *
@@ -1153,7 +1190,15 @@ getRandomInteger (mpz_t n, unsigned long int bits, PyObject *randfunc_)
 	}
 
 	arglist = Py_BuildValue ("(l)", (long int)bytes);
+	if (arglist == NULL) {
+		return_val = 0;
+		goto cleanup;
+	}
 	rand_bytes = PyObject_CallObject (randfunc, arglist);
+	if (rand_bytes == NULL) {
+		return_val = 0;
+		goto cleanup;
+	}
 	Py_DECREF (arglist);
 	if (!PyBytes_Check (rand_bytes))
 	{
@@ -1650,6 +1695,9 @@ init_fastmath (void)
 #endif
  	_fastmath_dict = PyModule_GetDict (_fastmath_module);
 	fastmathError = PyErr_NewException ("_fastmath.error", NULL, NULL);
+#ifdef IS_PY3K
+	if (fastmathError == NULL) return NULL;
+#endif
  	PyDict_SetItemString (_fastmath_dict, "error", fastmathError);
 
 	PyModule_AddIntConstant(_fastmath_module, "HAVE_DECL_MPZ_POWM_SEC", HAVE_DECL_MPZ_POWM_SEC);
-- 
1.7.7.6