check for overflow in combinations_with_replacement (closes #23365)
diff --git a/Lib/test/test_itertools.py b/Lib/test/test_itertools.py
index cbb1b92..9cd3ad8 100644
--- a/Lib/test/test_itertools.py
+++ b/Lib/test/test_itertools.py
@@ -213,6 +213,11 @@
self.assertEqual(result, list(cwr1(values, r))) # matches first pure python version
self.assertEqual(result, list(cwr2(values, r))) # matches second pure python version
+ @test_support.bigaddrspacetest
+ def test_combinations_with_replacement_overflow(self):
+ with self.assertRaises(OverflowError):
+ combinations_with_replacement("AA", 2**30)
+
@test_support.impl_detail("tuple reuse is specific to CPython")
def test_combinations_with_replacement_tuple_reuse(self):
cwr = combinations_with_replacement
diff --git a/Misc/NEWS b/Misc/NEWS
index 87a1d9f..b213a29 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,9 @@
Library
-------
+- Issue #23365: Fixed possible integer overflow in
+ itertools.combinations_with_replacement.
+
- Issue #23366: Fixed possible integer overflow in itertools.combinations.
- Issue #23191: fnmatch functions that use caching are now threadsafe.
diff --git a/Modules/itertoolsmodule.c b/Modules/itertoolsmodule.c
index 4eab79c..47a5e8b 100644
--- a/Modules/itertoolsmodule.c
+++ b/Modules/itertoolsmodule.c
@@ -2346,6 +2346,10 @@
goto error;
}
+ if (r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) {
+ PyErr_SetString(PyExc_OverflowError, "r is too big");
+ goto error;
+ }
indices = PyMem_Malloc(r * sizeof(Py_ssize_t));
if (indices == NULL) {
PyErr_NoMemory();