Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

bpo-36946: Fix possible signed integer overflow when handling slices. (GH-13375) 

The final addition (cur += step) may overflow, so use size_t for "cur".
"cur" is always positive (even for negative steps), so it is safe to use
size_t here.

Co-Authored-By: Martin Panter <vadmium+py@gmail.com>
This commit is contained in:
Zackery Spytz 2019-05-17 01:13:03 -06:00 committed by Serhiy Storchaka
parent 870b035bc6
commit 14514d9084
15 changed files with 45 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Lib/ctypes/test/test_arrays.py
View File

@ -69,6 +69,17 @@ class ArrayTestCase(unittest.TestCase):
from operator import delitem from operator import delitem
self.assertRaises(TypeError, delitem, ca, 0) self.assertRaises(TypeError, delitem, ca, 0)
def test_step_overflow(self):
a = (c_int * 5)()
a[3::sys.maxsize] = (1,)
self.assertListEqual(a[3::sys.maxsize], [1])
a = (c_char * 5)()
a[3::sys.maxsize] = b"A"
self.assertEqual(a[3::sys.maxsize], b"A")
a = (c_wchar * 5)()
a[3::sys.maxsize] = u"X"
self.assertEqual(a[3::sys.maxsize], u"X")
def test_numeric_arrays(self): def test_numeric_arrays(self):
alen = 5 alen = 5

1
Lib/test/seq_tests.py
View File

@ -209,6 +209,7 @@ class CommonTest(unittest.TestCase):
a = self.type2test([0,1,2,3,4]) a = self.type2test([0,1,2,3,4])
self.assertEqual(a[ -pow(2,128): 3 ], self.type2test([0,1,2])) self.assertEqual(a[ -pow(2,128): 3 ], self.type2test([0,1,2]))
self.assertEqual(a[ 3: pow(2,145) ], self.type2test([3,4])) self.assertEqual(a[ 3: pow(2,145) ], self.type2test([3,4]))
self.assertEqual(a[3::sys.maxsize], self.type2test([3]))
def test_contains(self): def test_contains(self):
u = self.type2test([0, 1, 2]) u = self.type2test([0, 1, 2])

2
Lib/test/string_tests.py
View File

@ -1135,7 +1135,7 @@ class MixinStrUnicodeUserStringTest:
def test_extended_getslice(self): def test_extended_getslice(self):
# Test extended slicing by comparing with list slicing. # Test extended slicing by comparing with list slicing.
s = string.ascii_letters + string.digits s = string.ascii_letters + string.digits
indices = (0, None, 1, 3, 41, -1, -2, -37) indices = (0, None, 1, 3, 41, sys.maxsize, -1, -2, -37)
for start in indices: for start in indices:
for stop in indices: for stop in indices:
# Skip step 0 (invalid) # Skip step 0 (invalid)

4
Lib/test/test_array.py
View File

@ -746,7 +746,7 @@ class BaseTest:
# Test extended slicing by comparing with list slicing # Test extended slicing by comparing with list slicing
# (Assumes list conversion works correctly, too) # (Assumes list conversion works correctly, too)
a = array.array(self.typecode, self.example) a = array.array(self.typecode, self.example)
indices = (0, None, 1, 3, 19, 100, -1, -2, -31, -100) indices = (0, None, 1, 3, 19, 100, sys.maxsize, -1, -2, -31, -100)
for start in indices: for start in indices:
for stop in indices: for stop in indices:
# Everything except the initial 0 (invalid step) # Everything except the initial 0 (invalid step)
@ -844,7 +844,7 @@ class BaseTest:
self.assertRaises(TypeError, a.__setitem__, slice(0, 1), b) self.assertRaises(TypeError, a.__setitem__, slice(0, 1), b)
def test_extended_set_del_slice(self): def test_extended_set_del_slice(self):
indices = (0, None, 1, 3, 19, 100, -1, -2, -31, -100) indices = (0, None, 1, 3, 19, 100, sys.maxsize, -1, -2, -31, -100)
for start in indices: for start in indices:
for stop in indices: for stop in indices:
# Everything except the initial 0 (invalid step) # Everything except the initial 0 (invalid step)

5
Lib/test/test_bytes.py
View File

@ -285,7 +285,7 @@ class BaseBytesTest:
# Test extended slicing by comparing with list slicing. # Test extended slicing by comparing with list slicing.
L = list(range(255)) L = list(range(255))
b = self.type2test(L) b = self.type2test(L)
indices = (0, None, 1, 3, 19, 100, -1, -2, -31, -100) indices = (0, None, 1, 3, 19, 100, sys.maxsize, -1, -2, -31, -100)
for start in indices: for start in indices:
for stop in indices: for stop in indices:
# Skip step 0 (invalid) # Skip step 0 (invalid)
@ -1242,7 +1242,8 @@ class ByteArrayTest(BaseBytesTest, unittest.TestCase):
self.assertLessEqual(sys.getsizeof(b), size) self.assertLessEqual(sys.getsizeof(b), size)
def test_extended_set_del_slice(self): def test_extended_set_del_slice(self):
indices = (0, None, 1, 3, 19, 300, 1<<333, -1, -2, -31, -300) indices = (0, None, 1, 3, 19, 300, 1<<333, sys.maxsize,
-1, -2, -31, -300)
for start in indices: for start in indices:
for stop in indices: for stop in indices:
# Skip invalid step 0 # Skip invalid step 0

4
Lib/test/test_mmap.py
View File

@ -439,7 +439,7 @@ class MmapTests(unittest.TestCase):
m = mmap.mmap(-1, len(s)) m = mmap.mmap(-1, len(s))
m[:] = s m[:] = s
self.assertEqual(m[:], s) self.assertEqual(m[:], s)
indices = (0, None, 1, 3, 19, 300, -1, -2, -31, -300) indices = (0, None, 1, 3, 19, 300, sys.maxsize, -1, -2, -31, -300)
for start in indices: for start in indices:
for stop in indices: for stop in indices:
# Skip step 0 (invalid) # Skip step 0 (invalid)
@ -451,7 +451,7 @@ class MmapTests(unittest.TestCase):
# Test extended slicing by comparing with list slicing. # Test extended slicing by comparing with list slicing.
s = bytes(reversed(range(256))) s = bytes(reversed(range(256)))
m = mmap.mmap(-1, len(s)) m = mmap.mmap(-1, len(s))
indices = (0, None, 1, 3, 19, 300, -1, -2, -31, -300) indices = (0, None, 1, 3, 19, 300, sys.maxsize, -1, -2, -31, -300)
for start in indices: for start in indices:
for stop in indices: for stop in indices:
# Skip invalid step 0 # Skip invalid step 0

1
Misc/NEWS.d/next/Core and Builtins/2019-05-16-23-53-45.bpo-36946.qjxr0Y.rst Normal file
View File

@ -0,0 +1 @@
Fix possible signed integer overflow when handling slices.

6
Modules/_ctypes/_ctypes.c
View File

@ -4487,7 +4487,8 @@ Array_subscript(PyObject *myself, PyObject *item)
StgDictObject *stgdict, *itemdict; StgDictObject *stgdict, *itemdict;
PyObject *proto; PyObject *proto;
PyObject *np; PyObject *np;
Py_ssize_t start, stop, step, slicelen, cur, i; Py_ssize_t start, stop, step, slicelen, i;
size_t cur;
if (PySlice_Unpack(item, &start, &stop, &step) < 0) { if (PySlice_Unpack(item, &start, &stop, &step) < 0) {
return NULL; return NULL;
@ -4627,7 +4628,8 @@ Array_ass_subscript(PyObject *myself, PyObject *item, PyObject *value)
return Array_ass_item(myself, i, value); return Array_ass_item(myself, i, value);
} }
else if (PySlice_Check(item)) { else if (PySlice_Check(item)) {
Py_ssize_t start, stop, step, slicelen, otherlen, i, cur; Py_ssize_t start, stop, step, slicelen, otherlen, i;
size_t cur;
if (PySlice_Unpack(item, &start, &stop, &step) < 0) { if (PySlice_Unpack(item, &start, &stop, &step) < 0) {
return -1; return -1;

6
Modules/_elementtree.c
View File

@ -1809,7 +1809,8 @@ element_subscr(PyObject* self_, PyObject* item)
return element_getitem(self_, i); return element_getitem(self_, i);
} }
else if (PySlice_Check(item)) { else if (PySlice_Check(item)) {
Py_ssize_t start, stop, step, slicelen, cur, i; Py_ssize_t start, stop, step, slicelen, i;
size_t cur;
PyObject* list; PyObject* list;
if (!self->extra) if (!self->extra)
@ -1861,7 +1862,8 @@ element_ass_subscr(PyObject* self_, PyObject* item, PyObject* value)
return element_setitem(self_, i, value); return element_setitem(self_, i, value);
} }
else if (PySlice_Check(item)) { else if (PySlice_Check(item)) {
Py_ssize_t start, stop, step, slicelen, newlen, cur, i; Py_ssize_t start, stop, step, slicelen, newlen, i;
size_t cur;
PyObject* recycle = NULL; PyObject* recycle = NULL;
PyObject* seq; PyObject* seq;

6
Modules/arraymodule.c
View File

@ -2343,7 +2343,8 @@ array_subscr(arrayobject* self, PyObject* item)
return array_item(self, i); return array_item(self, i);
} }
else if (PySlice_Check(item)) { else if (PySlice_Check(item)) {
Py_ssize_t start, stop, step, slicelength, cur, i; Py_ssize_t start, stop, step, slicelength, i;
size_t cur;
PyObject* result; PyObject* result;
arrayobject* ar; arrayobject* ar;
int itemsize = self->ob_descr->itemsize; int itemsize = self->ob_descr->itemsize;
@ -2527,7 +2528,8 @@ array_ass_subscr(arrayobject* self, PyObject* item, PyObject* value)
return 0; return 0;
} }
else { else {
Py_ssize_t cur, i; size_t cur;
Py_ssize_t i;
if (needed != slicelength) { if (needed != slicelength) {
PyErr_Format(PyExc_ValueError, PyErr_Format(PyExc_ValueError,

6
Modules/mmapmodule.c
View File

@ -806,7 +806,8 @@ mmap_subscript(mmap_object *self, PyObject *item)
slicelen); slicelen);
else { else {
char *result_buf = (char *)PyMem_Malloc(slicelen); char *result_buf = (char *)PyMem_Malloc(slicelen);
Py_ssize_t cur, i; size_t cur;
Py_ssize_t i;
PyObject *result; PyObject *result;
if (result_buf == NULL) if (result_buf == NULL)
@ -926,7 +927,8 @@ mmap_ass_subscript(mmap_object *self, PyObject *item, PyObject *value)
memcpy(self->data + start, vbuf.buf, slicelen); memcpy(self->data + start, vbuf.buf, slicelen);
} }
else { else {
Py_ssize_t cur, i; size_t cur;
Py_ssize_t i;
for (cur = start, i = 0; for (cur = start, i = 0;
i < slicelen; i < slicelen;

3
Objects/bytearrayobject.c
View File

@ -410,7 +410,8 @@ bytearray_subscript(PyByteArrayObject *self, PyObject *index)
return PyLong_FromLong((unsigned char)(PyByteArray_AS_STRING(self)[i])); return PyLong_FromLong((unsigned char)(PyByteArray_AS_STRING(self)[i]));
} }
else if (PySlice_Check(index)) { else if (PySlice_Check(index)) {
Py_ssize_t start, stop, step, slicelength, cur, i; Py_ssize_t start, stop, step, slicelength, i;
size_t cur;
if (PySlice_Unpack(index, &start, &stop, &step) < 0) { if (PySlice_Unpack(index, &start, &stop, &step) < 0) {
return NULL; return NULL;
} }

3
Objects/bytesobject.c
View File

@ -1677,7 +1677,8 @@ bytes_subscript(PyBytesObject* self, PyObject* item)
return PyLong_FromLong((unsigned char)self->ob_sval[i]); return PyLong_FromLong((unsigned char)self->ob_sval[i]);
} }
else if (PySlice_Check(item)) { else if (PySlice_Check(item)) {
Py_ssize_t start, stop, step, slicelength, cur, i; Py_ssize_t start, stop, step, slicelength, i;
size_t cur;
char* source_buf; char* source_buf;
char* result_buf; char* result_buf;
PyObject* result; PyObject* result;

3
Objects/tupleobject.c
View File

@ -753,7 +753,8 @@ tuplesubscript(PyTupleObject* self, PyObject* item)
return tupleitem(self, i); return tupleitem(self, i);
} }
else if (PySlice_Check(item)) { else if (PySlice_Check(item)) {
Py_ssize_t start, stop, step, slicelength, cur, i; Py_ssize_t start, stop, step, slicelength, i;
size_t cur;
PyObject* result; PyObject* result;
PyObject* it; PyObject* it;
PyObject **src, **dest; PyObject **src, **dest;

3
Objects/unicodeobject.c
View File

@ -13991,7 +13991,8 @@ unicode_subscript(PyObject* self, PyObject* item)
i += PyUnicode_GET_LENGTH(self); i += PyUnicode_GET_LENGTH(self);
return unicode_getitem(self, i); return unicode_getitem(self, i);
} else if (PySlice_Check(item)) { } else if (PySlice_Check(item)) {
Py_ssize_t start, stop, step, slicelength, cur, i; Py_ssize_t start, stop, step, slicelength, i;
size_t cur;
PyObject *result; PyObject *result;
void *src_data, *dest_data; void *src_data, *dest_data;
int src_kind, dest_kind; int src_kind, dest_kind;