summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZackery Spytz <zspytz@gmail.com>2019-04-02 10:47:51 (GMT)
committerSerhiy Storchaka <storchaka@gmail.com>2019-04-02 10:47:51 (GMT)
commit487b73ab39c80157474821ef9083f51e0846bd62 (patch)
tree48d07ecac9d6821a21a0546dab8ba1cad3997dda
parentb8311cf5e5d72f8a8aa688b7da1760d6a74a4d72 (diff)
downloadcpython-487b73ab39c80157474821ef9083f51e0846bd62.zip
cpython-487b73ab39c80157474821ef9083f51e0846bd62.tar.gz
cpython-487b73ab39c80157474821ef9083f51e0846bd62.tar.bz2
bpo-36504: Fix signed integer overflow in _ctypes.c's PyCArrayType_new(). (GH-12660)
-rw-r--r--Lib/ctypes/test/test_arrays.py6
-rw-r--r--Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst1
-rw-r--r--Modules/_ctypes/_ctypes.c2
3 files changed, 8 insertions, 1 deletions
diff --git a/Lib/ctypes/test/test_arrays.py b/Lib/ctypes/test/test_arrays.py
index 6cfda8b..0fc5d7e 100644
--- a/Lib/ctypes/test/test_arrays.py
+++ b/Lib/ctypes/test/test_arrays.py
@@ -197,6 +197,12 @@ class ArrayTestCase(unittest.TestCase):
_type_ = c_int
_length_ = 0
+ def test_bpo36504_signed_int_overflow(self):
+ # The overflow check in PyCArrayType_new() could cause signed integer
+ # overflow.
+ with self.assertRaises(OverflowError):
+ c_char * sys.maxsize * 2
+
@unittest.skipUnless(sys.maxsize > 2**32, 'requires 64bit platform')
@bigmemtest(size=_2G, memuse=1, dry_run=False)
def test_large_array(self, size):
diff --git a/Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst b/Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst
new file mode 100644
index 0000000..8ac209d
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst
@@ -0,0 +1 @@
+Fix signed integer overflow in _ctypes.c's ``PyCArrayType_new()``.
diff --git a/Modules/_ctypes/_ctypes.c b/Modules/_ctypes/_ctypes.c
index b3a2030..ac071bb 100644
--- a/Modules/_ctypes/_ctypes.c
+++ b/Modules/_ctypes/_ctypes.c
@@ -1518,7 +1518,7 @@ PyCArrayType_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
}
itemsize = itemdict->size;
- if (length * itemsize < 0) {
+ if (length > PY_SSIZE_T_MAX / itemsize) {
PyErr_SetString(PyExc_OverflowError,
"array too large");
goto error;