diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2023-01-21 10:54:09 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-21 10:54:09 (GMT) |
| commit | d2aaf818aefb217029371cf660cc10bd63726730 (patch) | |
| tree | c1a70fb12f72df8e2bcdfd4f362002416ea334f1 | |
| parent | 99da75e770a7108cd046b103ada27cf31427fb0b (diff) | |
| download | cpython-d2aaf818aefb217029371cf660cc10bd63726730.zip cpython-d2aaf818aefb217029371cf660cc10bd63726730.tar.gz cpython-d2aaf818aefb217029371cf660cc10bd63726730.tar.bz2 | |
[3.11] gh-101037: Fix potential memory underallocation for zeros of int subtypes (GH-101038) (#101219)
gh-101037: Fix potential memory underallocation for zeros of int subtypes (GH-101038)
This PR fixes object allocation in long_subtype_new to ensure that there's at least one digit in all cases, and makes sure that the value of that digit is copied over from the source long.
Needs backport to 3.11, but not any further: the change to require at least one digit was only introduced for Python 3.11.
Fixes GH-101037.
(cherry picked from commit 401fdf9c851eb61229250ebffa942adca99b36d1)
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
| -rw-r--r-- | Include/cpython/longintrepr.h | 3 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Core and Builtins/2023-01-14-17-03-08.gh-issue-101037.9ATNuf.rst | 2 | ||||
| -rw-r--r-- | Objects/longobject.c | 5 |
3 files changed, 10 insertions, 0 deletions
diff --git a/Include/cpython/longintrepr.h b/Include/cpython/longintrepr.h index 68dbf9c..6d52427 100644 --- a/Include/cpython/longintrepr.h +++ b/Include/cpython/longintrepr.h @@ -71,6 +71,9 @@ typedef long stwodigits; /* signed variant of twodigits */ 0 <= ob_digit[i] <= MASK. The allocation function takes care of allocating extra memory so that ob_digit[0] ... ob_digit[abs(ob_size)-1] are actually available. + We always allocate memory for at least one digit, so accessing ob_digit[0] + is always safe. However, in the case ob_size == 0, the contents of + ob_digit[0] may be undefined. CAUTION: Generic code manipulating subtypes of PyVarObject has to aware that ints abuse ob_size's sign bit. diff --git a/Misc/NEWS.d/next/Core and Builtins/2023-01-14-17-03-08.gh-issue-101037.9ATNuf.rst b/Misc/NEWS.d/next/Core and Builtins/2023-01-14-17-03-08.gh-issue-101037.9ATNuf.rst new file mode 100644 index 0000000..a487566 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2023-01-14-17-03-08.gh-issue-101037.9ATNuf.rst @@ -0,0 +1,2 @@ +Fix potential memory underallocation issue for instances of :class:`int` +subclasses with value zero. diff --git a/Objects/longobject.c b/Objects/longobject.c index c8dd576..84c05e8 100644 --- a/Objects/longobject.c +++ b/Objects/longobject.c @@ -5415,6 +5415,11 @@ long_subtype_new(PyTypeObject *type, PyObject *x, PyObject *obase) n = Py_SIZE(tmp); if (n < 0) n = -n; + /* Fast operations for single digit integers (including zero) + * assume that there is always at least one digit present. */ + if (n == 0) { + n = 1; + } newobj = (PyLongObject *)type->tp_alloc(type, n); if (newobj == NULL) { Py_DECREF(tmp); |