summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuido van Rossum <guido@python.org>2002-03-01 22:24:49 (GMT)
committerGuido van Rossum <guido@python.org>2002-03-01 22:24:49 (GMT)
commit2eb0b87d141ff89582ddd7bb414f9958e39fc6ae (patch)
treec80c850e549d64ecd53dc858c3167f6c01aaac87
parent6f33250ef939356b8a577049cafce1961760fd27 (diff)
downloadcpython-2eb0b87d141ff89582ddd7bb414f9958e39fc6ae.zip
cpython-2eb0b87d141ff89582ddd7bb414f9958e39fc6ae.tar.gz
cpython-2eb0b87d141ff89582ddd7bb414f9958e39fc6ae.tar.bz2
SF patch 514641 (Naofumi Honda) - Negative ob_size of LongObjects
Due to the bizarre definition of _PyLong_Copy(), creating an instance of a subclass of long with a negative value could cause core dumps later on. Unfortunately it looks like the behavior of _PyLong_Copy() is quite intentional, so the fix is more work than feels comfortable. This fix is almost, but not quite, the code that Naofumi Honda added; in addition, I added a test case.
-rw-r--r--Lib/test/test_descr.py4
-rw-r--r--Misc/ACKS1
-rw-r--r--Objects/abstract.c12
-rw-r--r--Objects/object.c10
4 files changed, 23 insertions, 4 deletions
diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py
index dd95dde..e667efb 100644
--- a/Lib/test/test_descr.py
+++ b/Lib/test/test_descr.py
@@ -1748,6 +1748,10 @@ def inherits():
verify((a + 0).__class__ is long)
verify((0 + a).__class__ is long)
+ # Check that negative clones don't segfault
+ a = longclone(-1)
+ vereq(a.__dict__, {})
+
class precfloat(float):
__slots__ = ['prec']
def __init__(self, value=0.0, prec=12):
diff --git a/Misc/ACKS b/Misc/ACKS
index 28157a4..a3ead13 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -203,6 +203,7 @@ Chris Hoffman
Albert Hofkamp
Gerrit Holl
Philip Homburg
+Naofumi Honda
Jeffrey Honig
Rob Hooft
Brian Hooper
diff --git a/Objects/abstract.c b/Objects/abstract.c
index 2acfd08..cae474c 100644
--- a/Objects/abstract.c
+++ b/Objects/abstract.c
@@ -933,8 +933,16 @@ PyNumber_Long(PyObject *o)
Py_INCREF(o);
return o;
}
- if (PyLong_Check(o))
- return _PyLong_Copy((PyLongObject *)o);
+ if (PyLong_Check(o)) {
+ PyObject *res;
+
+ res = _PyLong_Copy((PyLongObject *)o);
+ if (res != NULL)
+ ((PyLongObject *)res)->ob_size =
+ ((PyLongObject *)o)->ob_size;
+
+ return res;
+ }
if (PyString_Check(o))
/* need to do extra error checking that PyLong_FromString()
* doesn't do. In particular long('9.5') must raise an
diff --git a/Objects/object.c b/Objects/object.c
index 5812178..8babf79 100644
--- a/Objects/object.c
+++ b/Objects/object.c
@@ -1191,8 +1191,14 @@ _PyObject_GetDictPtr(PyObject *obj)
if (dictoffset == 0)
return NULL;
if (dictoffset < 0) {
- const size_t size = _PyObject_VAR_SIZE(tp,
- ((PyVarObject *)obj)->ob_size);
+ int tsize;
+ size_t size;
+
+ tsize = ((PyVarObject *)obj)->ob_size;
+ if (tsize < 0)
+ tsize = -tsize;
+ size = _PyObject_VAR_SIZE(tp, tsize);
+
dictoffset += (long)size;
assert(dictoffset > 0);
assert(dictoffset % SIZEOF_VOID_P == 0);