Trent Mick:

Fix overflow bug in ldexp(x, exp). The 'exp' argument maps to a C int for the
math library call [double ldexp(double, int)], however the 'd'
PyArg_ParseTuple formatter was used to yield a double, which was subsequently
cast to an int. This could overflow.

[GvR: mysteriously, on Solaris 2.7, ldexp(1, 2147483647) returns Inf
while ldexp(1, 2147483646) raises OverflowError; this seems a bug in
the math library (it also takes a real long time to compute the
Inf outcome).  Does this point to a bug in the CHECK() macro?  It
should have discovered that the result was outside the HUGE_VAL range.]

diff --git a/Modules/mathmodule.c b/Modules/mathmodule.c
index a241c60aecfdcc583db6464a83dfab5ec81e0db2..d01de9056919c16a2d0dd637c7a2e53c7ab226af 100644 (file)
--- a/Modules/mathmodule.c
+++ b/Modules/mathmodule.c
@@ -196,13 +196,13 @@ math_ldexp(self, args)
        PyObject *self;
        PyObject *args;
 {
-       double x, y;
-       /* Cheat -- allow float as second argument */
-        if (! PyArg_Parse(args, "(dd)", &x, &y))
+       double x;
+       int exp;
+       if (! PyArg_Parse(args, "(di)", &x, &exp))
                return NULL;
        errno = 0;
        PyFPE_START_PROTECT("ldexp", return 0)
-       x = ldexp(x, (int)y);
+       x = ldexp(x, exp);
        PyFPE_END_PROTECT(x)
        CHECK(x);
        if (errno != 0)