Issue #27507: Check for integer overflow in bytearray.extend()

Patch by Xiang Zhang.

diff --git a/Misc/NEWS b/Misc/NEWS
index 770f159e2ea7dac37ed77e4c2e4c5bd7f6f76dec..115182434b6d8f0e4b06dad33d509fc1aab4cd3a 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -22,6 +22,9 @@ Core and Builtins
 - Issue #27473: Fixed possible integer overflow in bytes and bytearray
   concatenations.  Patch by Xiang Zhang.
 
+- Issue #27507: Add integer overflow check in bytearray.extend().  Patch by
+  Xiang Zhang.
+
 - Issue #27443: __length_hint__() of bytearray iterators no longer return a
   negative integer for a resized bytearray.
 

diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
index b21acfb3f0b2a881c3021f926c3024fb2814a74a..145863575f2445d3971d14db518e19681057c709 100644 (file)
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -2474,7 +2474,17 @@ bytearray_extend(PyByteArrayObject *self, PyObject *iterable_of_ints)
         Py_DECREF(item);
 
         if (len >= buf_size) {
-            buf_size = len + (len >> 1) + 1;
+            Py_ssize_t addition;
+            if (len == PY_SSIZE_T_MAX) {
+                Py_DECREF(it);
+                Py_DECREF(bytearray_obj);
+                return PyErr_NoMemory();
+            }
+            addition = len >> 1;
+            if (addition > PY_SSIZE_T_MAX - len - 1)
+                buf_size = PY_SSIZE_T_MAX;
+            else
+                buf_size = len + addition + 1;
             if (PyByteArray_Resize((PyObject *)bytearray_obj, buf_size) < 0) {
                 Py_DECREF(it);
                 Py_DECREF(bytearray_obj);