Issue #27581: Don’t rely on overflow wrapping in PySequence_Tuple()

Patch by Xiang Zhang.

Issue #27581: Don’t rely on overflow wrapping in PySequence_Tuple()
Patch by Xiang Zhang.
2a0438d2 · Martin Panter · 1e411c5c · 2a0438d2 · 2a0438d2
Kaydet (Commit) 2a0438d2 authored Tem 25, 2016 tarafından Martin Panter
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

NEWS Misc/NEWS +3 -0

abstract.c Objects/abstract.c +5 -4

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,9 @@ Core and Builtins
 - Issue #27507: Add integer overflow check in bytearray.extend().  Patch by
  Xiang Zhang.
+- Issue #27581: Don't rely on wrapping for overflow check in
+  PySequence_Tuple().  Patch by Xiang Zhang.
 - Issue #23908: os functions, open() and the io.FileIO constructor now reject
  unicode paths with embedded null character on Windows instead of silently
  truncating them.

--- a/Objects/abstract.c
+++ b/Objects/abstract.c
@@ -2211,21 +2211,22 @@ PySequence_Tuple(PyObject *v)
            break;
        }
        if (j >= n) {
-            Py_ssize_t oldn = n;
+            size_t newn = (size_t)n;
            /* The over-allocation strategy can grow a bit faster
               than for lists because unlike lists the
               over-allocation isn't permanent -- we reclaim
               the excess before the end of this routine.
               So, grow by ten and then add 25%.
            */
-            n += 10;
+            newn += 10u;
-            n += n >> 2;
+            newn += newn >> 2;
-            if (n < oldn) {
+            if (newn > PY_SSIZE_T_MAX) {
                /* Check for overflow */
                PyErr_NoMemory();
                Py_DECREF(item);
                goto Fail;
            }
+            n = (Py_ssize_t)newn;
            if (_PyTuple_Resize(&result, n) != 0) {
                Py_DECREF(item);
                goto Fail;