SF patch 514641 (Naofumi Honda) - Negative ob_size of LongObjects

Due to the bizarre definition of _PyLong_Copy(), creating an instance
of a subclass of long with a negative value could cause core dumps
later on.  Unfortunately it looks like the behavior of _PyLong_Copy()
is quite intentional, so the fix is more work than feels comfortable.

This fix is almost, but not quite, the code that Naofumi Honda added;
in addition, I added a test case.

Lib/test/test_descr.py

@@ -1748,6 +1748,10 @@ def inherits():
     verify((a + 0).__class__ is long)
     verify((0 + a).__class__ is long)
 
+    # Check that negative clones don't segfault
+    a = longclone(-1)
+    vereq(a.__dict__, {})
+
     class precfloat(float):
         __slots__ = ['prec']
         def __init__(self, value=0.0, prec=12):

Misc/ACKS

@@ -203,6 +203,7 @@ Chris Hoffman
 Albert Hofkamp
 Gerrit Holl
 Philip Homburg
+Naofumi Honda
 Jeffrey Honig
 Rob Hooft
 Brian Hooper

Objects/abstract.c

@@ -933,8 +933,16 @@ PyNumber_Long(PyObject *o)
 		Py_INCREF(o);
 		return o;
 	}
-	if (PyLong_Check(o))
-		return _PyLong_Copy((PyLongObject *)o);
+	if (PyLong_Check(o)) {
+		PyObject *res;
+
+		res = _PyLong_Copy((PyLongObject *)o);
+		if (res != NULL)
+			((PyLongObject *)res)->ob_size =
+				((PyLongObject *)o)->ob_size;
+
+		return res;
+	}
 	if (PyString_Check(o))
 		/* need to do extra error checking that PyLong_FromString() 
 		 * doesn't do.  In particular long('9.5') must raise an

Objects/object.c

@@ -1191,8 +1191,14 @@ _PyObject_GetDictPtr(PyObject *obj)
 	if (dictoffset == 0)
 		return NULL;
 	if (dictoffset < 0) {
-		const size_t size = _PyObject_VAR_SIZE(tp,
-					((PyVarObject *)obj)->ob_size);
+		int tsize;
+		size_t size;
+
+		tsize = ((PyVarObject *)obj)->ob_size;
+		if (tsize < 0)
+			tsize = -tsize;
+		size = _PyObject_VAR_SIZE(tp, tsize);
+
 		dictoffset += (long)size;
 		assert(dictoffset > 0);
 		assert(dictoffset % SIZEOF_VOID_P == 0);