check for overflows in permutations() and product() (closes #23363, closes #23364)
diff --git a/Modules/itertoolsmodule.c b/Modules/itertoolsmodule.c
index 47a5e8b..b63975c 100644
--- a/Modules/itertoolsmodule.c
+++ b/Modules/itertoolsmodule.c
@@ -1842,8 +1842,17 @@
}
}
- assert(PyTuple_Check(args));
- nargs = (repeat == 0) ? 0 : PyTuple_GET_SIZE(args);
+ assert(PyTuple_CheckExact(args));
+ if (repeat == 0) {
+ nargs = 0;
+ } else {
+ nargs = PyTuple_GET_SIZE(args);
+ if (repeat > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
+ nargs > PY_SSIZE_T_MAX/(repeat * sizeof(Py_ssize_t))) {
+ PyErr_SetString(PyExc_OverflowError, "repeat argument too large");
+ return NULL;
+ }
+ }
npools = nargs * repeat;
indices = PyMem_Malloc(npools * sizeof(Py_ssize_t));
@@ -2603,6 +2612,11 @@
goto error;
}
+ if (n > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
+ r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) {
+ PyErr_SetString(PyExc_OverflowError, "parameters too large");
+ goto error;
+ }
indices = PyMem_Malloc(n * sizeof(Py_ssize_t));
cycles = PyMem_Malloc(r * sizeof(Py_ssize_t));
if (indices == NULL || cycles == NULL) {