commit dda9121ad1108d625d546548df787083a0f7a5b5
author Benjamin Peterson <benjamin@python.org> Sun Feb 01 21:34:07 2015 -0500
committer Benjamin Peterson <benjamin@python.org> Sun Feb 01 21:34:07 2015 -0500
tree 4b9a254cfa58b0607daed4cd0d215ba6ca84d1aa
parent 17845c1786d8659dce42a3b906d0ae31fc1c3dac

check for overflows in permutations() and product() (closes #23363, closes #23364)

Modules/itertoolsmodule.c

diff --git a/Modules/itertoolsmodule.c b/Modules/itertoolsmodule.c
index 47a5e8b..b63975c 100644
--- a/Modules/itertoolsmodule.c
+++ b/Modules/itertoolsmodule.c
@@ -1842,8 +1842,17 @@
         }
     }
 
-    assert(PyTuple_Check(args));
-    nargs = (repeat == 0) ? 0 : PyTuple_GET_SIZE(args);
+    assert(PyTuple_CheckExact(args));
+    if (repeat == 0) {
+        nargs = 0;
+    } else {
+        nargs = PyTuple_GET_SIZE(args);
+        if (repeat > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
+            nargs > PY_SSIZE_T_MAX/(repeat * sizeof(Py_ssize_t))) {
+            PyErr_SetString(PyExc_OverflowError, "repeat argument too large");
+            return NULL;
+        }
+    }
     npools = nargs * repeat;
 
     indices = PyMem_Malloc(npools * sizeof(Py_ssize_t));
@@ -2603,6 +2612,11 @@
         goto error;
     }
 
+    if (n > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
+        r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) {
+        PyErr_SetString(PyExc_OverflowError, "parameters too large");
+        goto error;
+    }
     indices = PyMem_Malloc(n * sizeof(Py_ssize_t));
     cycles = PyMem_Malloc(r * sizeof(Py_ssize_t));
     if (indices == NULL || cycles == NULL) {