From 4faf5c5655277cec99b2b11f7fe34e73d3ae28b9 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Thu, 21 May 2015 20:50:25 +0300
Subject: [PATCH] Issue #23985: Fixed integer overflow in iterator object. 
 Patch by Clement Rouault.

---
 Lib/test/test_iter.py | 25 +++++++++++++++++++++++++
 Misc/ACKS             |  1 +
 Misc/NEWS             |  3 +++
 Objects/iterobject.c  |  5 +++++
 4 files changed, 34 insertions(+)

diff --git a/Lib/test/test_iter.py b/Lib/test/test_iter.py
index e06f239ddab..abc408f8693 100644
--- a/Lib/test/test_iter.py
+++ b/Lib/test/test_iter.py
@@ -1,5 +1,6 @@
 # Test iterators.
 
+import sys
 import unittest
 from test.support import run_unittest, TESTFN, unlink, cpython_only
 import pickle
@@ -48,6 +49,10 @@ class SequenceClass:
         else:
             raise IndexError
 
+class UnlimitedSequenceClass:
+    def __getitem__(self, i):
+        return i
+
 # Main test suite
 
 class TestCase(unittest.TestCase):
@@ -919,6 +924,26 @@ class TestCase(unittest.TestCase):
         lst.extend(gen())
         self.assertEqual(len(lst), 760)
 
+    @cpython_only
+    def test_iter_overflow(self):
+        # Test for the issue 22939
+        it = iter(UnlimitedSequenceClass())
+        # Manually set `it_index` to PY_SSIZE_T_MAX-2 without a loop
+        it.__setstate__(sys.maxsize - 2)
+        self.assertEqual(next(it), sys.maxsize - 2)
+        self.assertEqual(next(it), sys.maxsize - 1)
+        with self.assertRaises(OverflowError):
+            next(it)
+        # Check that Overflow error is always raised
+        with self.assertRaises(OverflowError):
+            next(it)
+
+    def test_iter_neg_setstate(self):
+        it = iter(UnlimitedSequenceClass())
+        it.__setstate__(-42)
+        self.assertEqual(next(it), 0)
+        self.assertEqual(next(it), 1)
+
 
 def test_main():
     run_unittest(TestCase)
diff --git a/Misc/ACKS b/Misc/ACKS
index 7de6de6d423..b377050ec7c 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1168,6 +1168,7 @@ Guido van Rossum
 Just van Rossum
 Hugo van Rossum
 Saskia van Rossum
+Clement Rouault
 Donald Wallace Rouse II
 Liam Routt
 Todd Rovito
diff --git a/Misc/NEWS b/Misc/NEWS
index 94ea12bff2b..edd6aaac2ba 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ Release date: tba
 Core and Builtins
 -----------------
 
+- Issue #23985: Fixed integer overflow in iterator object.  Patch by
+  Clement Rouault.
+
 - Issue #23985: Fix a possible buffer overrun when deleting a slice from
   the front of a bytearray and then appending some other bytes data.
 
diff --git a/Objects/iterobject.c b/Objects/iterobject.c
index 77ff8106fd2..3047d6b02f8 100644
--- a/Objects/iterobject.c
+++ b/Objects/iterobject.c
@@ -54,6 +54,11 @@ iter_iternext(PyObject *iterator)
     seq = it->it_seq;
     if (seq == NULL)
         return NULL;
+    if (it->it_index == PY_SSIZE_T_MAX) {
+        PyErr_SetString(PyExc_OverflowError,
+                        "iter index too large");
+        return NULL;
+    }
 
     result = PySequence_GetItem(seq, it->it_index);
     if (result != NULL) {