From e8db861f4743fa1702c3119c219c821790e11a9c Mon Sep 17 00:00:00 2001 From: Martin Panter Date: Mon, 25 Jul 2016 02:30:05 +0000 Subject: [PATCH] =?UTF-8?q?Issue=20#27581:=20Don=E2=80=99t=20rely=20on=20o?= =?UTF-8?q?verflow=20wrapping=20in=20PySequence=5FTuple()?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch by Xiang Zhang. --- Misc/NEWS | 3 +++ Objects/abstract.c | 9 +++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index a9ebb7c0fbe..2e28d901060 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -25,6 +25,9 @@ Core and Builtins - Issue #27507: Add integer overflow check in bytearray.extend(). Patch by Xiang Zhang. +- Issue #27581: Don't rely on wrapping for overflow check in + PySequence_Tuple(). Patch by Xiang Zhang. + - Issue #27443: __length_hint__() of bytearray iterators no longer return a negative integer for a resized bytearray. diff --git a/Objects/abstract.c b/Objects/abstract.c index 585992d189e..88205bd0ce7 100644 --- a/Objects/abstract.c +++ b/Objects/abstract.c @@ -1724,21 +1724,22 @@ PySequence_Tuple(PyObject *v) break; } if (j >= n) { - Py_ssize_t oldn = n; + size_t newn = (size_t)n; /* The over-allocation strategy can grow a bit faster than for lists because unlike lists the over-allocation isn't permanent -- we reclaim the excess before the end of this routine. So, grow by ten and then add 25%. */ - n += 10; - n += n >> 2; - if (n < oldn) { + newn += 10u; + newn += newn >> 2; + if (newn > PY_SSIZE_T_MAX) { /* Check for overflow */ PyErr_NoMemory(); Py_DECREF(item); goto Fail; } + n = (Py_ssize_t)newn; if (_PyTuple_Resize(&result, n) != 0) { Py_DECREF(item); goto Fail;