merge 3.5 (#26171)

benjaminp · benjaminp · commit 2b0b5ac5a093 · 2016-01-20T22:25:40.000-08:00
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -140,6 +140,9 @@ Core and Builtins
   converted to normal strings at run time. Given x=3, then
   f'value={x}' == 'value=3'. Patch by Eric V. Smith.
 
+- Issue #26171: Fix possible integer overflow and heap corruption in
+  zipimporter.get_data().
+
 Library
 -------
 
diff --git a/Modules/zipimport.c b/Modules/zipimport.c
@@ -1127,6 +1127,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
     }
     file_offset += l;           /* Start of file data */
 
+    if (data_size > LONG_MAX - 1) {
+        fclose(fp);
+        PyErr_NoMemory();
+        return NULL;
+    }
     bytes_size = compress == 0 ? data_size : data_size + 1;
     if (bytes_size == 0)
         bytes_size++;
