Trent Mick:

This patches fixes a possible overflow of the optional timeout
parameter for the select() function (selectmodule.c). This timeout is
passed in as a double and then truncated to an int. If the double is
sufficiently large you can get unexpected results as it
overflows. This patch raises an overflow if the given select timeout
overflows.

[GvR: To my embarrassment, the original code was assuming an int could
always hold a million.  Note that the overflow check doesn't test for
a very large *negative* timeout passed in -- but who in the world
would do such a thing?]

diff --git a/Modules/selectmodule.c b/Modules/selectmodule.c
index fb46fc30719b330296c51027548edce8e7441636..21eab476f10efa08083937154d8c65ca469771fc 100644 (file)
--- a/Modules/selectmodule.c
+++ b/Modules/selectmodule.c
@@ -238,7 +238,7 @@ select_select(self, args)
        fd_set ifdset, ofdset, efdset;
        double timeout;
        struct timeval tv, *tvp;
-       int seconds;
+       long seconds;
        int imax, omax, emax, max;
        int n;
 
@@ -255,10 +255,14 @@ select_select(self, args)
                return NULL;
        }
        else {
-               seconds = (int)timeout;
+               if (timeout > (double)LONG_MAX) {
+                       PyErr_SetString(PyExc_OverflowError, "timeout period too long");
+                       return NULL;
+               }
+               seconds = (long)timeout;
                timeout = timeout - (double)seconds;
                tv.tv_sec = seconds;
-               tv.tv_usec = (int)(timeout*1000000.0);
+               tv.tv_usec = (long)(timeout*1000000.0);
                tvp = &tv;
        }