traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Restrict co_code to be under INT_MAX in codeobject (GH-20628)

This commit is contained in:
Ammar Askar 2020-06-10 23:31:22 +00:00 committed by GitHub
parent 1642c0ef75
commit 3b3b83c965
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Objects/codeobject.c
View File

@ -166,6 +166,14 @@ PyCode_NewWithPosOnlyArgs(int argcount, int posonlyargcount, int kwonlyargcount,
return NULL; return NULL;
} }
/* Make sure that code is indexable with an int, this is
a long running assumption in ceval.c and many parts of
the interpreter. */
if (PyBytes_GET_SIZE(code) > INT_MAX) {
PyErr_SetString(PyExc_OverflowError, "co_code larger than INT_MAX");
return NULL;
}
/* Check for any inner or outer closure references */ /* Check for any inner or outer closure references */
n_cellvars = PyTuple_GET_SIZE(cellvars); n_cellvars = PyTuple_GET_SIZE(cellvars);
if (!n_cellvars && !PyTuple_GET_SIZE(freevars)) { if (!n_cellvars && !PyTuple_GET_SIZE(freevars)) {

6
Objects/frameobject.c
View File

@ -397,9 +397,9 @@ frame_setlineno(PyFrameObject *f, PyObject* p_new_lineno, void *Py_UNUSED(ignore
return -1; return -1;
} }
int len = Py_SAFE_DOWNCAST( /* PyCode_NewWithPosOnlyArgs limits co_code to be under INT_MAX so this
PyBytes_GET_SIZE(f->f_code->co_code)/sizeof(_Py_CODEUNIT), * should never overflow. */
Py_ssize_t, int); int len = (int)(PyBytes_GET_SIZE(f->f_code->co_code) / sizeof(_Py_CODEUNIT));
int *lines = marklines(f->f_code, len); int *lines = marklines(f->f_code, len);
if (lines == NULL) { if (lines == NULL) {
return -1; return -1;