commit 0c08fe09f9b3afdff8bed06f3839126c1c3e7daa
author Martin Panter <vadmium+py@gmail.com> Mon Jul 18 07:53:13 2016 +0000
committer Martin Panter <vadmium+py@gmail.com> Mon Jul 18 07:53:13 2016 +0000
tree b85a4004a803f5141115933273bf13d46dcffe81
parent 6c4fa70da66d7efbf838a93bc69c7bdf2dda65f8

Issue #27507: Check for integer overflow in bytearray.extend()

Patch by Xiang Zhang.

Misc/NEWS

diff --git a/Misc/NEWS b/Misc/NEWS
index 7e762e8..0516277 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@
 - Issue #27473: Fixed possible integer overflow in str, unicode and bytearray
   concatenations and repetitions.  Based on patch by Xiang Zhang.
 
+- Issue #27507: Add integer overflow check in bytearray.extend().  Patch by
+  Xiang Zhang.
+
 - Issue #23908: os functions, open() and the io.FileIO constructor now reject
   unicode paths with embedded null character on Windows instead of silently
   truncating them.

Objects/bytearrayobject.c

diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
index bf8a74e..f13bc14 100644
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -2322,7 +2322,17 @@
         Py_DECREF(item);
 
         if (len >= buf_size) {
-            buf_size = len + (len >> 1) + 1;
+            Py_ssize_t addition;
+            if (len == PY_SSIZE_T_MAX) {
+                Py_DECREF(it);
+                Py_DECREF(bytearray_obj);
+                return PyErr_NoMemory();
+            }
+            addition = len >> 1;
+            if (addition > PY_SSIZE_T_MAX - len - 1)
+                buf_size = PY_SSIZE_T_MAX;
+            else
+                buf_size = len + addition + 1;
             if (PyByteArray_Resize((PyObject *)bytearray_obj, buf_size) < 0) {
                 Py_DECREF(it);
                 Py_DECREF(bytearray_obj);