bpo-36504: Fix signed integer overflow in _ctypes.c's PyCArrayType_new(). (GH-12660)

2019-04-02 04:47:51 -06:00 · 2019-04-02 04:47:51 -06:00 · 487b73ab39
parent b8311cf5e5
commit 487b73ab39
3 changed files with 8 additions and 1 deletions
--- a/Lib/ctypes/test/test_arrays.py
+++ b/Lib/ctypes/test/test_arrays.py
@ -197,6 +197,12 @@ class ArrayTestCase(unittest.TestCase):
            _type_ = c_int
            _length_ = 0

+    def test_bpo36504_signed_int_overflow(self):
+        # The overflow check in PyCArrayType_new() could cause signed integer
+        # overflow.
+        with self.assertRaises(OverflowError):
+            c_char * sys.maxsize * 2
+
    @unittest.skipUnless(sys.maxsize > 2**32, 'requires 64bit platform')
    @bigmemtest(size=_2G, memuse=1, dry_run=False)
    def test_large_array(self, size):
--- a/Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst
+++ b/Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst
@ -0,0 +1 @@
+Fix signed integer overflow in _ctypes.c's ``PyCArrayType_new()``.
--- a/Modules/_ctypes/_ctypes.c
+++ b/Modules/_ctypes/_ctypes.c
@ -1518,7 +1518,7 @@ PyCArrayType_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
    }

    itemsize = itemdict->size;
-    if (length * itemsize < 0) {
+    if (length > PY_SSIZE_T_MAX / itemsize) {
        PyErr_SetString(PyExc_OverflowError,
                        "array too large");
        goto error;
				`@ -0,0 +1 @@`
				Fix signed integer overflow in _ctypes.c's ``PyCArrayType_new()``.