From 3262e1675335e00e0f437cce921a1b22a8a33b76 Mon Sep 17 00:00:00 2001
From: Guido van Rossum <guido@python.org>
Date: Wed, 28 Jun 2000 21:18:13 +0000
Subject: Trent Mick:

This patches fixes a possible overflow of the optional timeout
parameter for the select() function (selectmodule.c). This timeout is
passed in as a double and then truncated to an int. If the double is
sufficiently large you can get unexpected results as it
overflows. This patch raises an overflow if the given select timeout
overflows.

[GvR: To my embarrassment, the original code was assuming an int could
always hold a million.  Note that the overflow check doesn't test for
a very large *negative* timeout passed in -- but who in the world
would do such a thing?]
---
 Modules/selectmodule.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/Modules/selectmodule.c b/Modules/selectmodule.c
index fb46fc3..21eab47 100644
--- a/Modules/selectmodule.c
+++ b/Modules/selectmodule.c
@@ -238,7 +238,7 @@ select_select(self, args)
 	fd_set ifdset, ofdset, efdset;
 	double timeout;
 	struct timeval tv, *tvp;
-	int seconds;
+	long seconds;
 	int imax, omax, emax, max;
 	int n;
 
@@ -255,10 +255,14 @@ select_select(self, args)
 		return NULL;
 	}
 	else {
-		seconds = (int)timeout;
+		if (timeout > (double)LONG_MAX) {
+			PyErr_SetString(PyExc_OverflowError, "timeout period too long");
+			return NULL;
+		}
+		seconds = (long)timeout;
 		timeout = timeout - (double)seconds;
 		tv.tv_sec = seconds;
-		tv.tv_usec = (int)(timeout*1000000.0);
+		tv.tv_usec = (long)(timeout*1000000.0);
 		tvp = &tv;
 	}
 
-- 
cgit v0.12