commit 2a0438d2e4f023b5edf0fcb27151b6ec4357642e
author Martin Panter <vadmium+py@gmail.com> Mon Jul 25 02:30:05 2016 +0000
committer Martin Panter <vadmium+py@gmail.com> Mon Jul 25 02:30:05 2016 +0000
tree 7b5f51b01f6f527f4e2c5c1a5ab4567a0e6739b7
parent 1e411c5c78b67cefb7a4ef89bd49eba5f7b5125d

Issue #27581: Don’t rely on overflow wrapping in PySequence_Tuple()

Patch by Xiang Zhang.

Misc/NEWS

diff --git a/Misc/NEWS b/Misc/NEWS
index ddaa1d3..3158c33 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,9 @@
 - Issue #27507: Add integer overflow check in bytearray.extend().  Patch by
   Xiang Zhang.
 
+- Issue #27581: Don't rely on wrapping for overflow check in
+  PySequence_Tuple().  Patch by Xiang Zhang.
+
 - Issue #23908: os functions, open() and the io.FileIO constructor now reject
   unicode paths with embedded null character on Windows instead of silently
   truncating them.

Objects/abstract.c

diff --git a/Objects/abstract.c b/Objects/abstract.c
index 2cb34b7..aa92ea9 100644
--- a/Objects/abstract.c
+++ b/Objects/abstract.c
@@ -2211,21 +2211,22 @@
             break;
         }
         if (j >= n) {
-            Py_ssize_t oldn = n;
+            size_t newn = (size_t)n;
             /* The over-allocation strategy can grow a bit faster
                than for lists because unlike lists the
                over-allocation isn't permanent -- we reclaim
                the excess before the end of this routine.
                So, grow by ten and then add 25%.
             */
-            n += 10;
-            n += n >> 2;
-            if (n < oldn) {
+            newn += 10u;
+            newn += newn >> 2;
+            if (newn > PY_SSIZE_T_MAX) {
                 /* Check for overflow */
                 PyErr_NoMemory();
                 Py_DECREF(item);
                 goto Fail;
             }
+            n = (Py_ssize_t)newn;
             if (_PyTuple_Resize(&result, n) != 0) {
                 Py_DECREF(item);
                 goto Fail;