From: Martin Panter <vadmium+py@gmail.com>
Date: Mon, 25 Jul 2016 02:30:05 +0000 (+0000)
Subject: Issue #27581: Don’t rely on overflow wrapping in PySequence_Tuple()
X-Git-Tag: v3.6.0a4~118^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e8db861f4743fa1702c3119c219c821790e11a9c;p=python

Issue #27581: Don’t rely on overflow wrapping in PySequence_Tuple()

Patch by Xiang Zhang.
---

diff --git a/Misc/NEWS b/Misc/NEWS
index a9ebb7c0fb..2e28d90106 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -25,6 +25,9 @@ Core and Builtins
 - Issue #27507: Add integer overflow check in bytearray.extend().  Patch by
   Xiang Zhang.
 
+- Issue #27581: Don't rely on wrapping for overflow check in
+  PySequence_Tuple().  Patch by Xiang Zhang.
+
 - Issue #27443: __length_hint__() of bytearray iterators no longer return a
   negative integer for a resized bytearray.
 
diff --git a/Objects/abstract.c b/Objects/abstract.c
index 585992d189..88205bd0ce 100644
--- a/Objects/abstract.c
+++ b/Objects/abstract.c
@@ -1724,21 +1724,22 @@ PySequence_Tuple(PyObject *v)
             break;
         }
         if (j >= n) {
-            Py_ssize_t oldn = n;
+            size_t newn = (size_t)n;
             /* The over-allocation strategy can grow a bit faster
                than for lists because unlike lists the
                over-allocation isn't permanent -- we reclaim
                the excess before the end of this routine.
                So, grow by ten and then add 25%.
             */
-            n += 10;
-            n += n >> 2;
-            if (n < oldn) {
+            newn += 10u;
+            newn += newn >> 2;
+            if (newn > PY_SSIZE_T_MAX) {
                 /* Check for overflow */
                 PyErr_NoMemory();
                 Py_DECREF(item);
                 goto Fail;
             }
+            n = (Py_ssize_t)newn;
             if (_PyTuple_Resize(&result, n) != 0) {
                 Py_DECREF(item);
                 goto Fail;