gh-126594: Fix typeobject.c wrap_buffer() cast (#126754)

Reject flags smaller than INT_MIN.

Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

2 files changed, 18 insertions, 3 deletions

diff --git a/Lib/test/test_buffer.py b/Lib/test/test_buffer.py
index cb38a69..332e49c 100644
--- a/Lib/test/test_buffer.py
+++ b/Lib/test/test_buffer.py
@@ -4446,6 +4446,21 @@ class TestBufferProtocol(unittest.TestCase):
             self.assertEqual(_testcapi.PyBuffer_SizeFromFormat(format),
                              struct.calcsize(format))
 
+    @support.cpython_only
+    def test_flags_overflow(self):
+        # gh-126594: Check for integer overlow on large flags
+        try:
+            from _testcapi import INT_MIN, INT_MAX
+        except ImportError:
+            INT_MIN = -(2 ** 31)
+            INT_MAX = 2 ** 31 - 1
+
+        obj = b'abc'
+        for flags in (INT_MIN - 1, INT_MAX + 1):
+            with self.subTest(flags=flags):
+                with self.assertRaises(OverflowError):
+                    obj.__buffer__(flags)
+
 
 class TestPythonBufferProtocol(unittest.TestCase):
     def test_basic(self):
diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index a6cf3da..840d004 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -9314,13 +9314,13 @@ wrap_buffer(PyObject *self, PyObject *args, void *wrapped)
     if (flags == -1 && PyErr_Occurred()) {
         return NULL;
     }
-    if (flags > INT_MAX) {
+    if (flags > INT_MAX || flags < INT_MIN) {
         PyErr_SetString(PyExc_OverflowError,
-                        "buffer flags too large");
+                        "buffer flags out of range");
         return NULL;
     }
 
-    return _PyMemoryView_FromBufferProc(self, Py_SAFE_DOWNCAST(flags, Py_ssize_t, int),
+    return _PyMemoryView_FromBufferProc(self, (int)flags,
                                         (getbufferproc)wrapped);
 }