From 2a0438d2e4f023b5edf0fcb27151b6ec4357642e Mon Sep 17 00:00:00 2001 From: Martin Panter Date: Mon, 25 Jul 2016 02:30:05 +0000 Subject: [PATCH] =?utf8?q?Issue=20#27581:=20Don=E2=80=99t=20rely=20on=20ov?= =?utf8?q?erflow=20wrapping=20in=20PySequence=5FTuple()?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Patch by Xiang Zhang. --- Misc/NEWS | 3 +++ Objects/abstract.c | 9 +++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index ddaa1d3051..3158c33d07 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -16,6 +16,9 @@ Core and Builtins - Issue #27507: Add integer overflow check in bytearray.extend(). Patch by Xiang Zhang. +- Issue #27581: Don't rely on wrapping for overflow check in + PySequence_Tuple(). Patch by Xiang Zhang. + - Issue #23908: os functions, open() and the io.FileIO constructor now reject unicode paths with embedded null character on Windows instead of silently truncating them. diff --git a/Objects/abstract.c b/Objects/abstract.c index 2cb34b7401..aa92ea9156 100644 --- a/Objects/abstract.c +++ b/Objects/abstract.c @@ -2211,21 +2211,22 @@ PySequence_Tuple(PyObject *v) break; } if (j >= n) { - Py_ssize_t oldn = n; + size_t newn = (size_t)n; /* The over-allocation strategy can grow a bit faster than for lists because unlike lists the over-allocation isn't permanent -- we reclaim the excess before the end of this routine. So, grow by ten and then add 25%. */ - n += 10; - n += n >> 2; - if (n < oldn) { + newn += 10u; + newn += newn >> 2; + if (newn > PY_SSIZE_T_MAX) { /* Check for overflow */ PyErr_NoMemory(); Py_DECREF(item); goto Fail; } + n = (Py_ssize_t)newn; if (_PyTuple_Resize(&result, n) != 0) { Py_DECREF(item); goto Fail; -- 2.50.1