From dda9121ad1108d625d546548df787083a0f7a5b5 Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Sun, 1 Feb 2015 21:34:07 -0500 Subject: check for overflows in permutations() and product() (closes #23363, closes #23364) --- Lib/test/test_itertools.py | 12 ++++++++++++ Misc/NEWS | 4 ++++ Modules/itertoolsmodule.c | 18 ++++++++++++++++-- 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/Lib/test/test_itertools.py b/Lib/test/test_itertools.py index 9cd3ad8..3c7dd49 100644 --- a/Lib/test/test_itertools.py +++ b/Lib/test/test_itertools.py @@ -284,6 +284,13 @@ class TestBasicOps(unittest.TestCase): self.assertEqual(result, list(permutations(values, None))) # test r as None self.assertEqual(result, list(permutations(values))) # test default r + @test_support.bigaddrspacetest + def test_permutations_overflow(self): + with self.assertRaises(OverflowError): + permutations("A", 2**30) + with self.assertRaises(OverflowError): + permutations("A", 2, 2**30) + @test_support.impl_detail("tuple reuse is specific to CPython") def test_permutations_tuple_reuse(self): self.assertEqual(len(set(map(id, permutations('abcde', 3)))), 1) @@ -702,6 +709,11 @@ class TestBasicOps(unittest.TestCase): args = map(iter, args) self.assertEqual(len(list(product(*args))), expected_len) + @test_support.bigaddrspacetest + def test_product_overflow(self): + with self.assertRaises(OverflowError): + product(["a"]*(2**16), repeat=2**16) + @test_support.impl_detail("tuple reuse is specific to CPython") def test_product_tuple_reuse(self): self.assertEqual(len(set(map(id, product('abc', 'def')))), 1) diff --git a/Misc/NEWS b/Misc/NEWS index b213a29..494a386 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -18,6 +18,10 @@ Core and Builtins Library ------- +- Issue #23363: Fix possible overflow in itertools.permutations. + +- Issue #23364: Fix possible overflow in itertools.product. + - Issue #23365: Fixed possible integer overflow in itertools.combinations_with_replacement. diff --git a/Modules/itertoolsmodule.c b/Modules/itertoolsmodule.c index 47a5e8b..b63975c 100644 --- a/Modules/itertoolsmodule.c +++ b/Modules/itertoolsmodule.c @@ -1842,8 +1842,17 @@ product_new(PyTypeObject *type, PyObject *args, PyObject *kwds) } } - assert(PyTuple_Check(args)); - nargs = (repeat == 0) ? 0 : PyTuple_GET_SIZE(args); + assert(PyTuple_CheckExact(args)); + if (repeat == 0) { + nargs = 0; + } else { + nargs = PyTuple_GET_SIZE(args); + if (repeat > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) || + nargs > PY_SSIZE_T_MAX/(repeat * sizeof(Py_ssize_t))) { + PyErr_SetString(PyExc_OverflowError, "repeat argument too large"); + return NULL; + } + } npools = nargs * repeat; indices = PyMem_Malloc(npools * sizeof(Py_ssize_t)); @@ -2603,6 +2612,11 @@ permutations_new(PyTypeObject *type, PyObject *args, PyObject *kwds) goto error; } + if (n > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) || + r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) { + PyErr_SetString(PyExc_OverflowError, "parameters too large"); + goto error; + } indices = PyMem_Malloc(n * sizeof(Py_ssize_t)); cycles = PyMem_Malloc(r * sizeof(Py_ssize_t)); if (indices == NULL || cycles == NULL) { -- cgit v0.12