diff options
author | Benjamin Peterson <benjamin@python.org> | 2015-02-02 02:34:07 (GMT) |
---|---|---|
committer | Benjamin Peterson <benjamin@python.org> | 2015-02-02 02:34:07 (GMT) |
commit | 0eaabf1c05127793753dbb3641d4d107b284ae77 (patch) | |
tree | 339d052650eadbf997c68401f6917c2fcc6654bd /Modules | |
parent | 6f082297b260d3eb4975d6d4305eba6fd26f9ae9 (diff) | |
download | cpython-0eaabf1c05127793753dbb3641d4d107b284ae77.zip cpython-0eaabf1c05127793753dbb3641d4d107b284ae77.tar.gz cpython-0eaabf1c05127793753dbb3641d4d107b284ae77.tar.bz2 |
check for overflows in permutations() and product() (closes #23363, closes #23364)
Diffstat (limited to 'Modules')
-rw-r--r-- | Modules/itertoolsmodule.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/Modules/itertoolsmodule.c b/Modules/itertoolsmodule.c index 1075d95..f367423 100644 --- a/Modules/itertoolsmodule.c +++ b/Modules/itertoolsmodule.c @@ -1998,8 +1998,17 @@ product_new(PyTypeObject *type, PyObject *args, PyObject *kwds) } } - assert(PyTuple_Check(args)); - nargs = (repeat == 0) ? 0 : PyTuple_GET_SIZE(args); + assert(PyTuple_CheckExact(args)); + if (repeat == 0) { + nargs = 0; + } else { + nargs = PyTuple_GET_SIZE(args); + if (repeat > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) || + nargs > PY_SSIZE_T_MAX/(repeat * sizeof(Py_ssize_t))) { + PyErr_SetString(PyExc_OverflowError, "repeat argument too large"); + return NULL; + } + } npools = nargs * repeat; indices = PyMem_Malloc(npools * sizeof(Py_ssize_t)); @@ -2992,6 +3001,11 @@ permutations_new(PyTypeObject *type, PyObject *args, PyObject *kwds) goto error; } + if (n > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) || + r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) { + PyErr_SetString(PyExc_OverflowError, "parameters too large"); + goto error; + } indices = PyMem_Malloc(n * sizeof(Py_ssize_t)); cycles = PyMem_Malloc(r * sizeof(Py_ssize_t)); if (indices == NULL || cycles == NULL) { |