From e921e02a2e97cc418a1c8faec135056802849864 Mon Sep 17 00:00:00 2001
From: Jeremy Hylton <jeremy@alum.mit.edu>
Date: Thu, 17 Jul 2008 16:37:17 +0000
Subject: Fix uninitialized memory read for cases like def(f, *): pass

There's not much interesting here.  The old code read uninitialized
memory but at worst incremented i past NCH(n), but no bad effects
followed from that.
---
 Python/ast.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/Python/ast.c b/Python/ast.c
index 6ec2ef1..9adb5a2 100644
--- a/Python/ast.c
+++ b/Python/ast.c
@@ -742,15 +742,21 @@ ast_for_arguments(struct compiling *c, const node *n)
     }
     assert(TYPE(n) == typedargslist || TYPE(n) == varargslist);
 
-    /* first count the number of positional args & defaults */
+    /* First count the number of positional args & defaults.  The
+       variable i is the loop index for this for loop and the next.
+       The next loop picks up where the first leaves off.
+    */
     for (i = 0; i < NCH(n); i++) {
         ch = CHILD(n, i);
         if (TYPE(ch) == STAR) {
-            /* skip star and possible argument */
+            /* skip star */
             i++;
-            i += (TYPE(CHILD(n, i)) == tfpdef
-                  || TYPE(CHILD(n, i)) == vfpdef);
-            break; 
+            if (i < NCH(n) && /* skip argument following star */
+                (TYPE(CHILD(n, i)) == tfpdef ||
+                 TYPE(CHILD(n, i)) == vfpdef)) {
+                i++;
+            }
+            break;
         }
         if (TYPE(ch) == DOUBLESTAR) break;
         if (TYPE(ch) == vfpdef || TYPE(ch) == tfpdef) nposargs++;
-- 
cgit v0.12