From 160d6708684de8c71895f90bc699a5879fb6ed29 Mon Sep 17 00:00:00 2001
From: Damien George <damien.p.george@gmail.com>
Date: Wed, 21 Feb 2018 23:34:17 +1100
Subject: [PATCH] py/objdeque: Protect against negative maxlen in deque
 constructor.

Otherwise passing -1 as maxlen will lead to a zero allocation and
subsequent unbound buffer overflow in deque.append() because i_put is
allowed to grow without bound.
---
 py/objdeque.c          | 8 +++++++-
 tests/basics/deque1.py | 6 ++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/py/objdeque.c b/py/objdeque.c
index a4c42c31f..573a48baf 100644
--- a/py/objdeque.c
+++ b/py/objdeque.c
@@ -50,9 +50,15 @@ STATIC mp_obj_t deque_make_new(const mp_obj_type_t *type, size_t n_args, size_t
         mp_raise_ValueError(NULL);
     }
 
+    // Protect against -1 leading to zero-length allocation and bad array access
+    mp_int_t maxlen = mp_obj_get_int(args[1]);
+    if (maxlen < 0) {
+        mp_raise_ValueError(NULL);
+    }
+
     mp_obj_deque_t *o = m_new_obj(mp_obj_deque_t);
     o->base.type = type;
-    o->alloc = mp_obj_get_int(args[1]) + 1;
+    o->alloc = maxlen + 1;
     o->i_get = o->i_put = 0;
     o->items = m_new(mp_obj_t, o->alloc);
     mp_seq_clear(o->items, 0, o->alloc, sizeof(*o->items));
diff --git a/tests/basics/deque1.py b/tests/basics/deque1.py
index 6b5669c45..19966fcb0 100644
--- a/tests/basics/deque1.py
+++ b/tests/basics/deque1.py
@@ -55,6 +55,12 @@ d.append(4)
 d.append(5)
 print(d.popleft(), d.popleft())
 
+# Negative maxlen is not allowed
+try:
+    deque((), -1)
+except ValueError:
+    print("ValueError")
+
 # Unsupported unary op
 try:
     ~d