Issue #7406: Fix some occurrences of potential signed overflow in int

arithmetic.

diff --git a/Objects/intobject.c b/Objects/intobject.c
index dce569a6efaf2ef636f891647cae16f8a18c517f..43dedf25485e31f4e65bcf3a95f6033bc8424c23 100644 (file)
--- a/Objects/intobject.c
+++ b/Objects/intobject.c
@@ -461,7 +461,8 @@ int_add(PyIntObject *v, PyIntObject *w)
        register long a, b, x;
        CONVERT_TO_LONG(v, a);
        CONVERT_TO_LONG(w, b);
-       x = a + b;
+       /* casts in the line below avoid undefined behaviour on overflow */
+       x = (long)((unsigned long)a + b);
        if ((x^a) >= 0 || (x^b) >= 0)
                return PyInt_FromLong(x);
        return PyLong_Type.tp_as_number->nb_add((PyObject *)v, (PyObject *)w);
@@ -473,7 +474,8 @@ int_sub(PyIntObject *v, PyIntObject *w)
        register long a, b, x;
        CONVERT_TO_LONG(v, a);
        CONVERT_TO_LONG(w, b);
-       x = a - b;
+       /* casts in the line below avoid undefined behaviour on overflow */
+       x = (long)((unsigned long)a - b);
        if ((x^a) >= 0 || (x^~b) >= 0)
                return PyInt_FromLong(x);
        return PyLong_Type.tp_as_number->nb_subtract((PyObject *)v,
@@ -516,7 +518,8 @@ int_mul(PyObject *v, PyObject *w)
 
        CONVERT_TO_LONG(v, a);
        CONVERT_TO_LONG(w, b);
-       longprod = a * b;
+       /* casts in the next line avoid undefined behaviour on overflow */
+       longprod = (long)((unsigned long)a * b);
        doubleprod = (double)a * (double)b;
        doubled_longprod = (double)longprod;
 

diff --git a/Python/ceval.c b/Python/ceval.c
index dd820f298512df684c4534e4dc89e1f99b3ac9f8..e5e70463f74dc369547245fe8ed6f4ee108a9689 100644 (file)
--- a/Python/ceval.c
+++ b/Python/ceval.c
@@ -1321,7 +1321,9 @@ PyEval_EvalFrameEx(PyFrameObject *f, int throwflag)
                                register long a, b, i;
                                a = PyInt_AS_LONG(v);
                                b = PyInt_AS_LONG(w);
-                               i = a + b;
+                               /* cast to avoid undefined behaviour
+                                  on overflow */
+                               i = (long)((unsigned long)a + b);
                                if ((i^a) < 0 && (i^b) < 0)
                                        goto slow_add;
                                x = PyInt_FromLong(i);
@@ -1351,7 +1353,9 @@ PyEval_EvalFrameEx(PyFrameObject *f, int throwflag)
                                register long a, b, i;
                                a = PyInt_AS_LONG(v);
                                b = PyInt_AS_LONG(w);
-                               i = a - b;
+                               /* cast to avoid undefined behaviour
+                                  on overflow */
+                               i = (long)((unsigned long)a - b);
                                if ((i^a) < 0 && (i^~b) < 0)
                                        goto slow_sub;
                                x = PyInt_FromLong(i);