Fix for integer overflow in path.c

Tests/test_imagepath.py

@@ -3,7 +3,7 @@ from helper import unittest, PillowTestCase
 from PIL import ImagePath
 
 import array
-
+import struct
 
 class TestImagePath(PillowTestCase):
 
@@ -62,6 +62,34 @@ class TestImagePath(PillowTestCase):
         self.assertEqual(list(p), [(0.0, 1.0)])
 
 
+    def test_overflow_segfault(self):
+        try:
+            # post patch, this fails with a memory error
+            x = evil()
+            
+            # This fails due to the invalid malloc above,
+            # and segfaults
+            for i in xrange(200000):
+                x[i] = "0"*16
+                
+        except MemoryError as msg:
+            self.assertTrue(msg)
+        except:
+            self.asserTrue(False, "Should have received a memory error")
+
+
+class evil:
+	def __init__(self):
+		self.corrupt = ImagePath.Path(0x4000000000000000)
+
+	def __getitem__(self, i):
+		x = self.corrupt[i]
+		return struct.pack("dd", x[0], x[1])
+
+	def __setitem__(self, i, x):
+		self.corrupt[i] = struct.unpack("dd", x)
+
+
 if __name__ == '__main__':
     unittest.main()
 

path.c

@@ -57,6 +57,10 @@ alloc_array(Py_ssize_t count)
         PyErr_NoMemory();
         return NULL;
     }
+    if (count > (SIZE_MAX / (2 * sizeof(double))) - 1 ) {
+        PyErr_NoMemory();
+        return NULL;
+    }
     xy = malloc(2 * count * sizeof(double) + 1);
     if (!xy)
         PyErr_NoMemory();