#13096: Fix segfault in CTypes POINTER handling of large values.

Patch by Meador Inge.

diff --git a/Lib/ctypes/test/test_pointers.py b/Lib/ctypes/test/test_pointers.py
index f8ef0ab830c4e954cdfef2d4c2f62572e0415008..4cd3a7a689c8cbd53a18d3e83354e9dc476fc537 100644 (file)
--- a/Lib/ctypes/test/test_pointers.py
+++ b/Lib/ctypes/test/test_pointers.py
@@ -7,6 +7,8 @@ ctype_types = [c_byte, c_ubyte, c_short, c_ushort, c_int, c_uint,
                  c_long, c_ulong, c_longlong, c_ulonglong, c_double, c_float]
 python_types = [int, int, int, int, int, int,
                 int, int, int, int, float, float]
+LargeNamedType = type('T' * 2 ** 25, (Structure,), {})
+large_string = 'T' * 2 ** 25
 
 class PointersTestCase(unittest.TestCase):
 
@@ -188,5 +190,11 @@ class PointersTestCase(unittest.TestCase):
             mth = WINFUNCTYPE(None)(42, "name", (), None)
             self.assertEqual(bool(mth), True)
 
+    def test_pointer_type_name(self):
+        self.assertTrue(POINTER(LargeNamedType))
+
+    def test_pointer_type_str_name(self):
+        self.assertTrue(POINTER(large_string))
+
 if __name__ == '__main__':
     unittest.main()

diff --git a/Misc/NEWS b/Misc/NEWS
index a9ac0b2c8393c7705cbc06ef8f623a27520f2a66..ab5a4cb3789a5c20650fa01b652b34584e6e1168 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -27,6 +27,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #13096: Fixed segfault in CTypes POINTER handling of large
+  values.
+
 - Issue #11694: Raise ConversionError in xdrlib as documented.  Patch
   by Filip Gruszczyński and Claudiu Popa.
 

diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
index dcabbdf361d29bdd004786209d6899ef4d977005..6cf358cf89f39704a638f3037423a9efac402a40 100644 (file)
--- a/Modules/_ctypes/callproc.c
+++ b/Modules/_ctypes/callproc.c
@@ -1672,24 +1672,30 @@ POINTER(PyObject *self, PyObject *cls)
     }
     if (PyUnicode_CheckExact(cls)) {
         char *name = _PyUnicode_AsString(cls);
-        buf = alloca(strlen(name) + 3 + 1);
+        buf = PyMem_Malloc(strlen(name) + 3 + 1);
+        if (buf == NULL)
+            return PyErr_NoMemory();
         sprintf(buf, "LP_%s", name);
         result = PyObject_CallFunction((PyObject *)Py_TYPE(&PyCPointer_Type),
                                        "s(O){}",
                                        buf,
                                        &PyCPointer_Type);
+        PyMem_Free(buf);
         if (result == NULL)
             return result;
         key = PyLong_FromVoidPtr(result);
     } else if (PyType_Check(cls)) {
         typ = (PyTypeObject *)cls;
-        buf = alloca(strlen(typ->tp_name) + 3 + 1);
+        buf = PyMem_Malloc(strlen(typ->tp_name) + 3 + 1);
+        if (buf == NULL)
+            return PyErr_NoMemory();
         sprintf(buf, "LP_%s", typ->tp_name);
         result = PyObject_CallFunction((PyObject *)Py_TYPE(&PyCPointer_Type),
                                        "s(O){sO}",
                                        buf,
                                        &PyCPointer_Type,
                                        "_type_", cls);
+        PyMem_Free(buf);
         if (result == NULL)
             return result;
         Py_INCREF(cls);