Issue #17119: Fixed integer overflows when processing large Unicode strings

and tuples in the tkinter module.

Issue #17119: Fixed integer overflows when processing large Unicode strings
and tuples in the tkinter module.
4203570d · Serhiy Storchaka · b817faa4 · 4203570d · 4203570d · 4203570d
Kaydet (Commit) 4203570d authored Agu 21, 2013 tarafından Serhiy Storchaka
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 11 deletions

test_tcl.py Lib/test/test_tcl.py +16 -1

NEWS Misc/NEWS +3 -0

_tkinter.c Modules/_tkinter.c +33 -10

No files found.
--- a/Lib/test/test_tcl.py
+++ b/Lib/test/test_tcl.py
@@ -3,6 +3,7 @@
 import unittest
 import sys
 import os
+import _testcapi
 from test import test_support
 from subprocess import Popen, PIPE
@@ -245,8 +246,22 @@ class TclTest(unittest.TestCase):
            self.assertEqual(split(arg), res)
+class BigmemTclTest(unittest.TestCase):
+    def setUp(self):
+        self.interp = Tcl()
+    @unittest.skipUnless(_testcapi.INT_MAX < _testcapi.PY_SSIZE_T_MAX,
+                         "needs UINT_MAX < SIZE_MAX")
+    @test_support.precisionbigmemtest(size=_testcapi.INT_MAX + 1, memuse=5,
+                                      dry_run=False)
+    def test_huge_string(self, size):
+        value = ' ' * size
+        self.assertRaises(OverflowError, self.interp.call, 'set', '_', value)
 def test_main():
-    test_support.run_unittest(TclTest, TkinterTest)
+    test_support.run_unittest(TclTest, TkinterTest, BigmemTclTest)
 if __name__ == "__main__":
    test_main()
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -32,6 +32,9 @@ Core and Builtins
 Library
 -------
+- Issue #17119: Fixed integer overflows when processing large Unicode strings
+  and tuples in the tkinter module.
 - Issue #15233: Python now guarantees that callables registered with the atexit
  module will be called in a deterministic order.

--- a/Modules/_tkinter.c
+++ b/Modules/_tkinter.c
@@ -47,6 +47,10 @@ Copyright (C) 1994 Steen Lumholt.
 #define PyBool_FromLong       PyInt_FromLong
 #endif
+#define CHECK_SIZE(size, elemsize) \
+    ((size_t)(size) <= (size_t)INT_MAX && \
+     (size_t)(size) <= UINT_MAX / (size_t)(elemsize))
 /* Starting with Tcl 8.4, many APIs offer const-correctness.  Unfortunately,
   making _tkinter correct for this API means to break earlier
   versions. USE_COMPAT_CONST allows to make _tkinter work with both 8.4 and
@@ -378,7 +382,7 @@ Merge(PyObject *args)
    char **argv = NULL;
    int fvStore[ARGSZ];
    int *fv = NULL;
-    int argc = 0, fvc = 0, i;
+    Py_ssize_t argc = 0, fvc = 0, i;
    char *res = NULL;
    if (!(tmp = PyList_New(0)))
@@ -400,8 +404,12 @@ Merge(PyObject *args)
        argc = PyTuple_Size(args);
        if (argc > ARGSZ) {
-            argv = (char **)ckalloc(argc * sizeof(char *));
+            if (!CHECK_SIZE(argc, sizeof(char *))) {
-            fv = (int *)ckalloc(argc * sizeof(int));
+                PyErr_SetString(PyExc_OverflowError, "tuple is too long");
+                goto finally;
+            }
+            argv = (char **)ckalloc((size_t)argc * sizeof(char *));
+            fv = (int *)ckalloc((size_t)argc * sizeof(int));
            if (argv == NULL || fv == NULL) {
                PyErr_NoMemory();
                goto finally;
@@ -983,12 +991,18 @@ AsObj(PyObject *value)
    else if (PyFloat_Check(value))
        return Tcl_NewDoubleObj(PyFloat_AS_DOUBLE(value));
    else if (PyTuple_Check(value)) {
-        Tcl_Obj **argv = (Tcl_Obj**)
+        Tcl_Obj **argv;
-            ckalloc(PyTuple_Size(value)*sizeof(Tcl_Obj*));
+        Py_ssize_t size, i;
-        int i;
+        size = PyTuple_Size(value);
+        if (!CHECK_SIZE(size, sizeof(Tcl_Obj *))) {
+            PyErr_SetString(PyExc_OverflowError, "tuple is too long");
+            return NULL;
+        }
+        argv = (Tcl_Obj **) ckalloc(((size_t)size) * sizeof(Tcl_Obj *));
        if(!argv)
          return 0;
-        for(i=0;i<PyTuple_Size(value);i++)
+        for (i = 0; i < size; i++)
          argv[i] = AsObj(PyTuple_GetItem(value,i));
        result = Tcl_NewListObj(PyTuple_Size(value), argv);
        ckfree(FREECAST argv);
@@ -1003,7 +1017,12 @@ AsObj(PyObject *value)
 #if defined(Py_UNICODE_WIDE) && TCL_UTF_MAX == 3
        Tcl_UniChar *outbuf = NULL;
        Py_ssize_t i;
-        size_t allocsize = ((size_t)size) * sizeof(Tcl_UniChar);
+        size_t allocsize;
+        if (!CHECK_SIZE(size, sizeof(Tcl_UniChar))) {
+            PyErr_SetString(PyExc_OverflowError, "string is too long");
+            return NULL;
+        }
+        allocsize = ((size_t)size) * sizeof(Tcl_UniChar);
        if (allocsize >= size)
            outbuf = (Tcl_UniChar*)ckalloc(allocsize);
        /* Else overflow occurred, and we take the next exit */
@@ -1198,7 +1217,7 @@ static Tcl_Obj**
 Tkapp_CallArgs(PyObject *args, Tcl_Obj** objStore, int *pobjc)
 {
    Tcl_Obj **objv = objStore;
-    int objc = 0, i;
+    Py_ssize_t objc = 0, i;
    if (args == NULL)
        /* do nothing */;
@@ -1213,7 +1232,11 @@ Tkapp_CallArgs(PyObject *args, Tcl_Obj** objStore, int *pobjc)
        objc = PyTuple_Size(args);
        if (objc > ARGSZ) {
-            objv = (Tcl_Obj **)ckalloc(objc * sizeof(char *));
+            if (!CHECK_SIZE(objc, sizeof(Tcl_Obj *))) {
+                PyErr_SetString(PyExc_OverflowError, "tuple is too long");
+                return NULL;
+            }
+            objv = (Tcl_Obj **)ckalloc(((size_t)objc) * sizeof(Tcl_Obj *));
            if (objv == NULL) {
                PyErr_NoMemory();
                objc = 0;