From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Sun, 3 Dec 2017 21:27:21 +0000 (-0800)
Subject: bpo-31619: Fixed integer overflow in converting huge strings to int. (GH-3884) (... 
X-Git-Tag: v3.6.4rc1~12
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=30a6bc842945e3e9c9c7db887ab495c428ec7074;p=python

bpo-31619: Fixed integer overflow in converting huge strings to int. (GH-3884) (#4690)

(cherry picked from commit 29ba688034fc4eef0693b86002cf7bee55d692af)
---

diff --git a/Objects/longobject.c b/Objects/longobject.c
index c0cd7c12be..c3c0949189 100644
--- a/Objects/longobject.c
+++ b/Objects/longobject.c
@@ -2016,7 +2016,7 @@ long_from_binary_base(const char **str, int base, PyLongObject **res)
     const char *p = *str;
     const char *start = p;
     char prev = 0;
-    int digits = 0;
+    Py_ssize_t digits = 0;
     int bits_per_char;
     Py_ssize_t n;
     PyLongObject *z;
@@ -2259,8 +2259,9 @@ just 1 digit at the start, so that the copying code was exercised for every
 digit beyond the first.
 ***/
         twodigits c;           /* current input character */
+        double fsize_z;
         Py_ssize_t size_z;
-        int digits = 0;
+        Py_ssize_t digits = 0;
         int i;
         int convwidth;
         twodigits convmultmax, convmult;
@@ -2322,7 +2323,14 @@ digit beyond the first.
          * need to initialize z->ob_digit -- no slot is read up before
          * being stored into.
          */
-        size_z = (Py_ssize_t)(digits * log_base_BASE[base]) + 1;
+        fsize_z = digits * log_base_BASE[base] + 1;
+        if (fsize_z > MAX_LONG_DIGITS) {
+            /* The same exception as in _PyLong_New(). */
+            PyErr_SetString(PyExc_OverflowError,
+                            "too many digits in integer");
+            return NULL;
+        }
+        size_z = (Py_ssize_t)fsize_z;
         /* Uncomment next line to test exceedingly rare copy code */
         /* size_z = 1; */
         assert(size_z > 0);