Merge in release25-maint r60793:
Added checks for integer overflows, contributed by Google. Some are
only available if asserts are left in the code, in cases where they
can't be triggered from Python code.
diff --git a/Python/asdl.c b/Python/asdl.c
index 72329b9..1105d3a 100644
--- a/Python/asdl.c
+++ b/Python/asdl.c
@@ -5,8 +5,22 @@
asdl_seq_new(int size, PyArena *arena)
{
asdl_seq *seq = NULL;
- size_t n = sizeof(asdl_seq) +
- (size ? (sizeof(void *) * (size - 1)) : 0);
+ size_t n = (size ? (sizeof(void *) * (size - 1)) : 0);
+
+ /* check size is sane */
+ if (size < 0 || size == INT_MIN ||
+ (size && ((size - 1) > (PY_SIZE_MAX / sizeof(void *))))) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ /* check if size can be added safely */
+ if (n > PY_SIZE_MAX - sizeof(asdl_seq)) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ n += sizeof(asdl_seq);
seq = (asdl_seq *)PyArena_Malloc(arena, n);
if (!seq) {
@@ -22,8 +36,22 @@
asdl_int_seq_new(int size, PyArena *arena)
{
asdl_int_seq *seq = NULL;
- size_t n = sizeof(asdl_seq) +
- (size ? (sizeof(int) * (size - 1)) : 0);
+ size_t n = (size ? (sizeof(void *) * (size - 1)) : 0);
+
+ /* check size is sane */
+ if (size < 0 || size == INT_MIN ||
+ (size && ((size - 1) > (PY_SIZE_MAX / sizeof(void *))))) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ /* check if size can be added safely */
+ if (n > PY_SIZE_MAX - sizeof(asdl_seq)) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ n += sizeof(asdl_seq);
seq = (asdl_int_seq *)PyArena_Malloc(arena, n);
if (!seq) {
diff --git a/Python/ast.c b/Python/ast.c
index a6bb1b7..4d874af 100644
--- a/Python/ast.c
+++ b/Python/ast.c
@@ -3200,6 +3200,9 @@
buf = (char *)s;
u = NULL;
} else {
+ /* check for integer overflow */
+ if (len > PY_SIZE_MAX / 4)
+ return NULL;
/* "\XX" may become "\u005c\uHHLL" (12 bytes) */
u = PyString_FromStringAndSize((char *)NULL, len * 4);
if (u == NULL)
diff --git a/Python/bltinmodule.c b/Python/bltinmodule.c
index a2ebb4a..e18eb2a 100644
--- a/Python/bltinmodule.c
+++ b/Python/bltinmodule.c
@@ -2792,11 +2792,43 @@
PyString_AS_STRING(item)[0];
} else {
/* do we need more space? */
- Py_ssize_t need = j + reslen + len-i-1;
+ Py_ssize_t need = j;
+
+ /* calculate space requirements while checking for overflow */
+ if (need > PY_SSIZE_T_MAX - reslen) {
+ Py_DECREF(item);
+ goto Fail_1;
+ }
+
+ need += reslen;
+
+ if (need > PY_SSIZE_T_MAX - len) {
+ Py_DECREF(item);
+ goto Fail_1;
+ }
+
+ need += len;
+
+ if (need <= i) {
+ Py_DECREF(item);
+ goto Fail_1;
+ }
+
+ need = need - i - 1;
+
+ assert(need >= 0);
+ assert(outlen >= 0);
+
if (need > outlen) {
/* overallocate, to avoid reallocations */
- if (need<2*outlen)
+ if (outlen > PY_SSIZE_T_MAX / 2) {
+ Py_DECREF(item);
+ return NULL;
+ }
+
+ if (need<2*outlen) {
need = 2*outlen;
+ }
if (_PyString_Resize(&result, need)) {
Py_DECREF(item);
return NULL;
@@ -2888,11 +2920,31 @@
else {
/* do we need more space? */
Py_ssize_t need = j + reslen + len - i - 1;
+
+ /* check that didnt overflow */
+ if ((j > PY_SSIZE_T_MAX - reslen) ||
+ ((j + reslen) > PY_SSIZE_T_MAX - len) ||
+ ((j + reslen + len) < i) ||
+ ((j + reslen + len - i) <= 0)) {
+ Py_DECREF(item);
+ return NULL;
+ }
+
+ assert(need >= 0);
+ assert(outlen >= 0);
+
if (need > outlen) {
/* overallocate,
to avoid reallocations */
- if (need < 2 * outlen)
- need = 2 * outlen;
+ if (need < 2 * outlen) {
+ if (outlen > PY_SSIZE_T_MAX / 2) {
+ Py_DECREF(item);
+ return NULL;
+ } else {
+ need = 2 * outlen;
+ }
+ }
+
if (PyUnicode_Resize(
&result, need) < 0) {
Py_DECREF(item);
diff --git a/Python/compile.c b/Python/compile.c
index c81218d..264fdcd 100644
--- a/Python/compile.c
+++ b/Python/compile.c
@@ -216,6 +216,10 @@
return ident; /* Don't mangle if class is just underscores */
}
plen = strlen(p);
+
+ assert(1 <= PY_SSIZE_T_MAX - nlen);
+ assert(1 + nlen <= PY_SSIZE_T_MAX - plen);
+
ident = PyString_FromStringAndSize(NULL, 1 + nlen + plen);
if (!ident)
return 0;
@@ -621,6 +625,12 @@
size_t oldsize, newsize;
oldsize = b->b_ialloc * sizeof(struct instr);
newsize = oldsize << 1;
+
+ if (oldsize > (PY_SIZE_MAX >> 1)) {
+ PyErr_NoMemory();
+ return -1;
+ }
+
if (newsize == 0) {
PyErr_NoMemory();
return -1;
@@ -3478,6 +3488,10 @@
a->a_lnotab = PyString_FromStringAndSize(NULL, DEFAULT_LNOTAB_SIZE);
if (!a->a_lnotab)
return 0;
+ if (nblocks > PY_SIZE_MAX / sizeof(basicblock *)) {
+ PyErr_NoMemory();
+ return 0;
+ }
a->a_postorder = (basicblock **)PyObject_Malloc(
sizeof(basicblock *) * nblocks);
if (!a->a_postorder) {
@@ -3586,10 +3600,14 @@
nbytes = a->a_lnotab_off + 2 * ncodes;
len = PyString_GET_SIZE(a->a_lnotab);
if (nbytes >= len) {
- if (len * 2 < nbytes)
+ if ((len <= INT_MAX / 2) && (len * 2 < nbytes))
len = nbytes;
- else
+ else if (len <= INT_MAX / 2)
len *= 2;
+ else {
+ PyErr_NoMemory();
+ return 0;
+ }
if (_PyString_Resize(&a->a_lnotab, len) < 0)
return 0;
}
@@ -3608,10 +3626,14 @@
nbytes = a->a_lnotab_off + 2 * ncodes;
len = PyString_GET_SIZE(a->a_lnotab);
if (nbytes >= len) {
- if (len * 2 < nbytes)
+ if ((len <= INT_MAX / 2) && len * 2 < nbytes)
len = nbytes;
- else
+ else if (len <= INT_MAX / 2)
len *= 2;
+ else {
+ PyErr_NoMemory();
+ return 0;
+ }
if (_PyString_Resize(&a->a_lnotab, len) < 0)
return 0;
}
@@ -3670,6 +3692,8 @@
if (i->i_lineno && !assemble_lnotab(a, i))
return 0;
if (a->a_offset + size >= len) {
+ if (len > PY_SSIZE_T_MAX / 2)
+ return 0;
if (_PyString_Resize(&a->a_bytecode, len * 2) < 0)
return 0;
}