From: Martin Panter Date: Mon, 25 Jul 2016 02:30:05 +0000 (+0000) Subject: Issue #27581: Don’t rely on overflow wrapping in PySequence_Tuple() X-Git-Tag: v2.7.13rc1~239 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2a0438d2e4f023b5edf0fcb27151b6ec4357642e;p=python Issue #27581: Don’t rely on overflow wrapping in PySequence_Tuple() Patch by Xiang Zhang. --- diff --git a/Misc/NEWS b/Misc/NEWS index ddaa1d3051..3158c33d07 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -16,6 +16,9 @@ Core and Builtins - Issue #27507: Add integer overflow check in bytearray.extend(). Patch by Xiang Zhang. +- Issue #27581: Don't rely on wrapping for overflow check in + PySequence_Tuple(). Patch by Xiang Zhang. + - Issue #23908: os functions, open() and the io.FileIO constructor now reject unicode paths with embedded null character on Windows instead of silently truncating them. diff --git a/Objects/abstract.c b/Objects/abstract.c index 2cb34b7401..aa92ea9156 100644 --- a/Objects/abstract.c +++ b/Objects/abstract.c @@ -2211,21 +2211,22 @@ PySequence_Tuple(PyObject *v) break; } if (j >= n) { - Py_ssize_t oldn = n; + size_t newn = (size_t)n; /* The over-allocation strategy can grow a bit faster than for lists because unlike lists the over-allocation isn't permanent -- we reclaim the excess before the end of this routine. So, grow by ten and then add 25%. */ - n += 10; - n += n >> 2; - if (n < oldn) { + newn += 10u; + newn += newn >> 2; + if (newn > PY_SSIZE_T_MAX) { /* Check for overflow */ PyErr_NoMemory(); Py_DECREF(item); goto Fail; } + n = (Py_ssize_t)newn; if (_PyTuple_Resize(&result, n) != 0) { Py_DECREF(item); goto Fail;