Issue #27581: Don’t rely on overflow wrapping in PySequence_Tuple()

Patch by Xiang Zhang.

diff --git a/Misc/NEWS b/Misc/NEWS
index ddaa1d305142599d3ce9a7628e7ce4928b69cb80..3158c33d07f6cfef8511b872df5463547ddd7685 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,9 @@ Core and Builtins
 - Issue #27507: Add integer overflow check in bytearray.extend().  Patch by
   Xiang Zhang.
 
+- Issue #27581: Don't rely on wrapping for overflow check in
+  PySequence_Tuple().  Patch by Xiang Zhang.
+
 - Issue #23908: os functions, open() and the io.FileIO constructor now reject
   unicode paths with embedded null character on Windows instead of silently
   truncating them.

diff --git a/Objects/abstract.c b/Objects/abstract.c
index 2cb34b74014c093c0ddcad9143cf23d800937dcf..aa92ea9156d3a0457d1cfab160ece37fdf3e44df 100644 (file)
--- a/Objects/abstract.c
+++ b/Objects/abstract.c
@@ -2211,21 +2211,22 @@ PySequence_Tuple(PyObject *v)
             break;
         }
         if (j >= n) {
-            Py_ssize_t oldn = n;
+            size_t newn = (size_t)n;
             /* The over-allocation strategy can grow a bit faster
                than for lists because unlike lists the
                over-allocation isn't permanent -- we reclaim
                the excess before the end of this routine.
                So, grow by ten and then add 25%.
             */
-            n += 10;
-            n += n >> 2;
-            if (n < oldn) {
+            newn += 10u;
+            newn += newn >> 2;
+            if (newn > PY_SSIZE_T_MAX) {
                 /* Check for overflow */
                 PyErr_NoMemory();
                 Py_DECREF(item);
                 goto Fail;
             }
+            n = (Py_ssize_t)newn;
             if (_PyTuple_Resize(&result, n) != 0) {
                 Py_DECREF(item);
                 goto Fail;