diff options
author | Guido van Rossum <guido@python.org> | 2002-03-01 22:24:49 (GMT) |
---|---|---|
committer | Guido van Rossum <guido@python.org> | 2002-03-01 22:24:49 (GMT) |
commit | 2eb0b87d141ff89582ddd7bb414f9958e39fc6ae (patch) | |
tree | c80c850e549d64ecd53dc858c3167f6c01aaac87 | |
parent | 6f33250ef939356b8a577049cafce1961760fd27 (diff) | |
download | cpython-2eb0b87d141ff89582ddd7bb414f9958e39fc6ae.zip cpython-2eb0b87d141ff89582ddd7bb414f9958e39fc6ae.tar.gz cpython-2eb0b87d141ff89582ddd7bb414f9958e39fc6ae.tar.bz2 |
SF patch 514641 (Naofumi Honda) - Negative ob_size of LongObjects
Due to the bizarre definition of _PyLong_Copy(), creating an instance
of a subclass of long with a negative value could cause core dumps
later on. Unfortunately it looks like the behavior of _PyLong_Copy()
is quite intentional, so the fix is more work than feels comfortable.
This fix is almost, but not quite, the code that Naofumi Honda added;
in addition, I added a test case.
-rw-r--r-- | Lib/test/test_descr.py | 4 | ||||
-rw-r--r-- | Misc/ACKS | 1 | ||||
-rw-r--r-- | Objects/abstract.c | 12 | ||||
-rw-r--r-- | Objects/object.c | 10 |
4 files changed, 23 insertions, 4 deletions
diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py index dd95dde..e667efb 100644 --- a/Lib/test/test_descr.py +++ b/Lib/test/test_descr.py @@ -1748,6 +1748,10 @@ def inherits(): verify((a + 0).__class__ is long) verify((0 + a).__class__ is long) + # Check that negative clones don't segfault + a = longclone(-1) + vereq(a.__dict__, {}) + class precfloat(float): __slots__ = ['prec'] def __init__(self, value=0.0, prec=12): @@ -203,6 +203,7 @@ Chris Hoffman Albert Hofkamp Gerrit Holl Philip Homburg +Naofumi Honda Jeffrey Honig Rob Hooft Brian Hooper diff --git a/Objects/abstract.c b/Objects/abstract.c index 2acfd08..cae474c 100644 --- a/Objects/abstract.c +++ b/Objects/abstract.c @@ -933,8 +933,16 @@ PyNumber_Long(PyObject *o) Py_INCREF(o); return o; } - if (PyLong_Check(o)) - return _PyLong_Copy((PyLongObject *)o); + if (PyLong_Check(o)) { + PyObject *res; + + res = _PyLong_Copy((PyLongObject *)o); + if (res != NULL) + ((PyLongObject *)res)->ob_size = + ((PyLongObject *)o)->ob_size; + + return res; + } if (PyString_Check(o)) /* need to do extra error checking that PyLong_FromString() * doesn't do. In particular long('9.5') must raise an diff --git a/Objects/object.c b/Objects/object.c index 5812178..8babf79 100644 --- a/Objects/object.c +++ b/Objects/object.c @@ -1191,8 +1191,14 @@ _PyObject_GetDictPtr(PyObject *obj) if (dictoffset == 0) return NULL; if (dictoffset < 0) { - const size_t size = _PyObject_VAR_SIZE(tp, - ((PyVarObject *)obj)->ob_size); + int tsize; + size_t size; + + tsize = ((PyVarObject *)obj)->ob_size; + if (tsize < 0) + tsize = -tsize; + size = _PyObject_VAR_SIZE(tp, tsize); + dictoffset += (long)size; assert(dictoffset > 0); assert(dictoffset % SIZEOF_VOID_P == 0); |