diff options
author | Martin Panter <vadmium+py@gmail.com> | 2016-07-25 02:39:20 (GMT) |
---|---|---|
committer | Martin Panter <vadmium+py@gmail.com> | 2016-07-25 02:39:20 (GMT) |
commit | b93d8637a6bce5b1b61423dc6c8319fc82a31b13 (patch) | |
tree | 2bf465e8c89e54dc4989f126b7b8c20008e455a9 | |
parent | 32d2ce3561088eb0fbb3e63e9fcbc3a90491604a (diff) | |
download | cpython-b93d8637a6bce5b1b61423dc6c8319fc82a31b13.zip cpython-b93d8637a6bce5b1b61423dc6c8319fc82a31b13.tar.gz cpython-b93d8637a6bce5b1b61423dc6c8319fc82a31b13.tar.bz2 |
Issue #1621: Avoid signed overflow in list and tuple operations
Patch by Xiang Zhang.
-rw-r--r-- | Lib/test/list_tests.py | 14 | ||||
-rw-r--r-- | Misc/NEWS | 3 | ||||
-rw-r--r-- | Objects/listobject.c | 18 | ||||
-rw-r--r-- | Objects/tupleobject.c | 4 |
4 files changed, 28 insertions, 11 deletions
diff --git a/Lib/test/list_tests.py b/Lib/test/list_tests.py index f20fdc0..26e9368 100644 --- a/Lib/test/list_tests.py +++ b/Lib/test/list_tests.py @@ -266,9 +266,21 @@ class CommonTest(seq_tests.CommonTest): self.assertEqual(a, list("spameggs")) self.assertRaises(TypeError, a.extend, None) - self.assertRaises(TypeError, a.extend) + # overflow test. issue1621 + class CustomIter: + def __iter__(self): + return self + def __next__(self): + raise StopIteration + def __length_hint__(self): + return sys.maxsize + a = self.type2test([1,2,3,4]) + a.extend(CustomIter()) + self.assertEqual(a, [1,2,3,4]) + + def test_insert(self): a = self.type2test([0, 1, 2]) a.insert(0, -2) @@ -16,6 +16,9 @@ Core and Builtins - Issue #27581: Don't rely on wrapping for overflow check in PySequence_Tuple(). Patch by Xiang Zhang. +- Issue #1621: Avoid signed integer overflow in list and tuple operations. + Patch by Xiang Zhang. + - Issue #27419: Standard __import__() no longer look up "__import__" in globals or builtins for importing submodules or "from import". Fixed a crash if raise a warning about unabling to resolve package from __spec__ or diff --git a/Objects/listobject.c b/Objects/listobject.c index ddc0fee..0b2c8c1 100644 --- a/Objects/listobject.c +++ b/Objects/listobject.c @@ -488,9 +488,9 @@ list_concat(PyListObject *a, PyObject *bb) return NULL; } #define b ((PyListObject *)bb) - size = Py_SIZE(a) + Py_SIZE(b); - if (size < 0) + if (Py_SIZE(a) > PY_SSIZE_T_MAX - Py_SIZE(b)) return PyErr_NoMemory(); + size = Py_SIZE(a) + Py_SIZE(b); np = (PyListObject *) PyList_New(size); if (np == NULL) { return NULL; @@ -841,18 +841,20 @@ listextend(PyListObject *self, PyObject *b) return NULL; } m = Py_SIZE(self); - mn = m + n; - if (mn >= m) { + if (m > PY_SSIZE_T_MAX - n) { + /* m + n overflowed; on the chance that n lied, and there really + * is enough room, ignore it. If n was telling the truth, we'll + * eventually run out of memory during the loop. + */ + } + else { + mn = m + n; /* Make room. */ if (list_resize(self, mn) < 0) goto error; /* Make the list sane again. */ Py_SIZE(self) = m; } - /* Else m + n overflowed; on the chance that n lied, and there really - * is enough room, ignore it. If n was telling the truth, we'll - * eventually run out of memory during the loop. - */ /* Run iterator to exhaustion. */ for (;;) { diff --git a/Objects/tupleobject.c b/Objects/tupleobject.c index 1b41258..c0ff499 100644 --- a/Objects/tupleobject.c +++ b/Objects/tupleobject.c @@ -453,9 +453,9 @@ tupleconcat(PyTupleObject *a, PyObject *bb) return NULL; } #define b ((PyTupleObject *)bb) - size = Py_SIZE(a) + Py_SIZE(b); - if (size < 0) + if (Py_SIZE(a) > PY_SSIZE_T_MAX - Py_SIZE(b)) return PyErr_NoMemory(); + size = Py_SIZE(a) + Py_SIZE(b); np = (PyTupleObject *) PyTuple_New(size); if (np == NULL) { return NULL; |