bpo-31619: Fixed integer overflow in converting huge strings to int. (#3884)

diff --git a/Objects/longobject.c b/Objects/longobject.c
index c3dc59ee9e95db24788c82558c2b6b86e3aeeeeb..a7f496825ebd1fd83a4d7d63d1d2c54f3e694a8f 100644 (file)
--- a/Objects/longobject.c
+++ b/Objects/longobject.c
@@ -2024,7 +2024,7 @@ long_from_binary_base(const char **str, int base, PyLongObject **res)
     const char *p = *str;
     const char *start = p;
     char prev = 0;
-    int digits = 0;
+    Py_ssize_t digits = 0;
     int bits_per_char;
     Py_ssize_t n;
     PyLongObject *z;
@@ -2267,8 +2267,9 @@ just 1 digit at the start, so that the copying code was exercised for every
 digit beyond the first.
 ***/
         twodigits c;           /* current input character */
+        double fsize_z;
         Py_ssize_t size_z;
-        int digits = 0;
+        Py_ssize_t digits = 0;
         int i;
         int convwidth;
         twodigits convmultmax, convmult;
@@ -2330,7 +2331,14 @@ digit beyond the first.
          * need to initialize z->ob_digit -- no slot is read up before
          * being stored into.
          */
-        size_z = (Py_ssize_t)(digits * log_base_BASE[base]) + 1;
+        fsize_z = digits * log_base_BASE[base] + 1;
+        if (fsize_z > MAX_LONG_DIGITS) {
+            /* The same exception as in _PyLong_New(). */
+            PyErr_SetString(PyExc_OverflowError,
+                            "too many digits in integer");
+            return NULL;
+        }
+        size_z = (Py_ssize_t)fsize_z;
         /* Uncomment next line to test exceedingly rare copy code */
         /* size_z = 1; */
         assert(size_z > 0);