SF patch #103158 by Greg Ball: Don't do unsafe arithmetic in xrange

object.

This fixes potential overflows in xrange()'s internal calculations on
64-bit platforms.  The fix is complicated because the sq_length slot
function can only return an int; we want to support
xrange(sys.maxint), which is a 64-bit quantity on most 64-bit
platforms (except Win64).  The solution is hacky but the best
possible: when the range is that long, we can use it in a for loop but
we can't ask for its length (nor can we actually iterate beyond
2**31-1, because the sq_item slot function has the same restrictions
on its arguments.  Fixing those restrictions is a project for another
day...
This commit is contained in:
Guido van Rossum 2001-01-15 18:58:56 +00:00
parent afc4f0413a
commit 65e0b99b61
1 changed files with 80 additions and 10 deletions

View File

@ -11,21 +11,80 @@ typedef struct {
long step; long step;
long len; long len;
int reps; int reps;
long totlen;
} rangeobject; } rangeobject;
static int
long_mul(long i, long j, long *kk)
{
PyObject *a;
PyObject *b;
PyObject *c;
if ((a = PyInt_FromLong(i)) == NULL)
return 0;
if ((b = PyInt_FromLong(j)) == NULL)
return 0;
c = PyNumber_Multiply(a, b);
Py_DECREF(a);
Py_DECREF(b);
if (c == NULL)
return 0;
*kk = PyInt_AS_LONG(c);
Py_DECREF(c);
if (*kk > INT_MAX) {
PyErr_SetString(PyExc_OverflowError,
"integer multiplication");
return 0;
}
else
return 1;
}
PyObject * PyObject *
PyRange_New(long start, long len, long step, int reps) PyRange_New(long start, long len, long step, int reps)
{ {
long totlen = -1;
rangeobject *obj = PyObject_NEW(rangeobject, &PyRange_Type); rangeobject *obj = PyObject_NEW(rangeobject, &PyRange_Type);
if (obj == NULL) if (obj == NULL)
return NULL; return NULL;
if (len == 0 || reps <= 0) {
start = 0;
len = 0;
step = 1;
reps = 1;
totlen = 0;
}
else {
long last = start + (len - 1) * step;
if ((step > 0) ?
(last > (PyInt_GetMax() - step))
:(last < (-1 - PyInt_GetMax() - step))) {
PyErr_SetString(PyExc_OverflowError,
"integer addition");
return NULL;
}
if (! long_mul(len, (long) reps, &totlen)) {
if(!PyErr_ExceptionMatches(PyExc_OverflowError))
return NULL;
PyErr_Clear();
totlen = -1;
}
}
obj->start = start; obj->start = start;
obj->len = len; obj->len = len;
obj->step = step; obj->step = step;
obj->reps = reps; obj->reps = reps;
obj->totlen = totlen;
return (PyObject *) obj; return (PyObject *) obj;
} }
@ -39,11 +98,12 @@ range_dealloc(rangeobject *r)
static PyObject * static PyObject *
range_item(rangeobject *r, int i) range_item(rangeobject *r, int i)
{ {
if (i < 0 || i >= r->len * r->reps) { if (i < 0 || i >= r->totlen)
PyErr_SetString(PyExc_IndexError, if (r->totlen!=-1) {
PyErr_SetString(PyExc_IndexError,
"xrange object index out of range"); "xrange object index out of range");
return NULL; return NULL;
} }
return PyInt_FromLong(r->start + (i % r->len) * r->step); return PyInt_FromLong(r->start + (i % r->len) * r->step);
} }
@ -51,7 +111,10 @@ range_item(rangeobject *r, int i)
static int static int
range_length(rangeobject *r) range_length(rangeobject *r)
{ {
return r->len * r->reps; if (r->totlen == -1)
PyErr_SetString(PyExc_OverflowError,
"xrange object has too many items");
return r->totlen;
} }
static PyObject * static PyObject *
@ -93,7 +156,9 @@ range_concat(rangeobject *r, PyObject *obj)
static PyObject * static PyObject *
range_repeat(rangeobject *r, int n) range_repeat(rangeobject *r, int n)
{ {
if (n < 0) long lreps = 0;
if (n <= 0)
return (PyObject *) PyRange_New(0, 0, 1, 1); return (PyObject *) PyRange_New(0, 0, 1, 1);
else if (n == 1) { else if (n == 1) {
@ -101,12 +166,15 @@ range_repeat(rangeobject *r, int n)
return (PyObject *) r; return (PyObject *) r;
} }
else if (! long_mul((long) r->reps, (long) n, &lreps))
return NULL;
else else
return (PyObject *) PyRange_New( return (PyObject *) PyRange_New(
r->start, r->start,
r->len, r->len,
r->step, r->step,
r->reps * n); (int) lreps);
} }
static int static int
@ -161,15 +229,17 @@ range_tolist(rangeobject *self, PyObject *args)
{ {
PyObject *thelist; PyObject *thelist;
int j; int j;
int len = self->len * self->reps;
if (! PyArg_ParseTuple(args, ":tolist")) if (! PyArg_ParseTuple(args, ":tolist"))
return NULL; return NULL;
if ((thelist = PyList_New(len)) == NULL) if (self->totlen == -1)
return PyErr_NoMemory();
if ((thelist = PyList_New(self->totlen)) == NULL)
return NULL; return NULL;
for (j = 0; j < len; ++j) for (j = 0; j < self->totlen; ++j)
if ((PyList_SetItem(thelist, j, (PyObject *) PyInt_FromLong( if ((PyList_SetItem(thelist, j, (PyObject *) PyInt_FromLong(
self->start + (j % self->len) * self->step))) < 0) self->start + (j % self->len) * self->step))) < 0)
return NULL; return NULL;