diff options
author | Zackery Spytz <zspytz@gmail.com> | 2019-04-02 10:47:51 (GMT) |
---|---|---|
committer | Serhiy Storchaka <storchaka@gmail.com> | 2019-04-02 10:47:51 (GMT) |
commit | 487b73ab39c80157474821ef9083f51e0846bd62 (patch) | |
tree | 48d07ecac9d6821a21a0546dab8ba1cad3997dda | |
parent | b8311cf5e5d72f8a8aa688b7da1760d6a74a4d72 (diff) | |
download | cpython-487b73ab39c80157474821ef9083f51e0846bd62.zip cpython-487b73ab39c80157474821ef9083f51e0846bd62.tar.gz cpython-487b73ab39c80157474821ef9083f51e0846bd62.tar.bz2 |
bpo-36504: Fix signed integer overflow in _ctypes.c's PyCArrayType_new(). (GH-12660)
-rw-r--r-- | Lib/ctypes/test/test_arrays.py | 6 | ||||
-rw-r--r-- | Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst | 1 | ||||
-rw-r--r-- | Modules/_ctypes/_ctypes.c | 2 |
3 files changed, 8 insertions, 1 deletions
diff --git a/Lib/ctypes/test/test_arrays.py b/Lib/ctypes/test/test_arrays.py index 6cfda8b..0fc5d7e 100644 --- a/Lib/ctypes/test/test_arrays.py +++ b/Lib/ctypes/test/test_arrays.py @@ -197,6 +197,12 @@ class ArrayTestCase(unittest.TestCase): _type_ = c_int _length_ = 0 + def test_bpo36504_signed_int_overflow(self): + # The overflow check in PyCArrayType_new() could cause signed integer + # overflow. + with self.assertRaises(OverflowError): + c_char * sys.maxsize * 2 + @unittest.skipUnless(sys.maxsize > 2**32, 'requires 64bit platform') @bigmemtest(size=_2G, memuse=1, dry_run=False) def test_large_array(self, size): diff --git a/Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst b/Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst new file mode 100644 index 0000000..8ac209d --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst @@ -0,0 +1 @@ +Fix signed integer overflow in _ctypes.c's ``PyCArrayType_new()``. diff --git a/Modules/_ctypes/_ctypes.c b/Modules/_ctypes/_ctypes.c index b3a2030..ac071bb 100644 --- a/Modules/_ctypes/_ctypes.c +++ b/Modules/_ctypes/_ctypes.c @@ -1518,7 +1518,7 @@ PyCArrayType_new(PyTypeObject *type, PyObject *args, PyObject *kwds) } itemsize = itemdict->size; - if (length * itemsize < 0) { + if (length > PY_SSIZE_T_MAX / itemsize) { PyErr_SetString(PyExc_OverflowError, "array too large"); goto error; |