From: Victor Stinner <victor.stinner@gmail.com>
Date: Wed, 3 May 2017 14:00:12 +0000 (+0200)
Subject: bpo-30255: Clip step in _PySlice_Unpack() (#1429)
X-Git-Tag: v2.7.14rc1~184
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f6a3133972378205baaa6a854d46170d04a2db67;p=python

bpo-30255: Clip step in _PySlice_Unpack() (#1429)

In PySlice_IndicesEx, clip the step to [-PY_SSIZE_T_MAX,
PY_SSIZE_T_MAX] rather than [PY_SSIZE_T_MIN, PY_SSIZE_T_MAX].

(cherry picked from commit e6fc7401a92c7b51a80782d8095819b9909a0322)
---

diff --git a/Misc/NEWS b/Misc/NEWS
index b510725a5d..50a2c78ac9 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -932,6 +932,11 @@ Tools/Demos
 C API
 -----
 
+- bpo-30255: PySlice_GetIndicesEx now clips the step to
+  [-PY_SSIZE_T_MAX, PY_SSIZE_T_MAX] instead of
+  [-PY_SSIZE_T_MAX-1, PY_SSIZE_T_MAX].  This makes it safe to do "step = -step"
+  when reversing a slice.
+
 - Issue #26476: Fixed compilation error when use PyErr_BadInternalCall() in C++.
   Patch by Jeroen Demeyer.
 
diff --git a/Objects/sliceobject.c b/Objects/sliceobject.c
index 8f17fcacc8..64be927038 100644
--- a/Objects/sliceobject.c
+++ b/Objects/sliceobject.c
@@ -147,6 +147,13 @@ _PySlice_Unpack(PyObject *_r,
                             "slice step cannot be zero");
             return -1;
         }
+        /* Here *step might be -PY_SSIZE_T_MAX-1; in this case we replace it
+         * with -PY_SSIZE_T_MAX.  This doesn't affect the semantics, and it
+         * guards against later undefined behaviour resulting from code that
+         * does "step = -step" as part of a slice reversal.
+         */
+        if (*step < -PY_SSIZE_T_MAX)
+            *step = -PY_SSIZE_T_MAX;
     }
 
     if (r->start == Py_None) {