Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / e921e02a2e97cc418a1c8faec135056802849864^! / . / Python / ast.c
commite921e02a2e97cc418a1c8faec135056802849864[log] [tgz]
authorJeremy Hylton <jeremy@alum.mit.edu>Thu Jul 17 16:37:17 2008 +0000
committerJeremy Hylton <jeremy@alum.mit.edu>Thu Jul 17 16:37:17 2008 +0000
tree9cdcd0dea2a9ca50162eb03ee8a976cf19ed6b88
parentc3fee694644cdf24bfb974dcd924fbdf524350ee [diff] [blame]
Fix uninitialized memory read for cases like def(f, *): pass

There's not much interesting here.  The old code read uninitialized
memory but at worst incremented i past NCH(n), but no bad effects
followed from that.

diff --git a/Python/ast.c b/Python/ast.c
index 6ec2ef1..9adb5a2 100644
--- a/Python/ast.c
+++ b/Python/ast.c

@@ -742,15 +742,21 @@
     }
     assert(TYPE(n) == typedargslist || TYPE(n) == varargslist);
 
-    /* first count the number of positional args & defaults */
+    /* First count the number of positional args & defaults.  The
+       variable i is the loop index for this for loop and the next.
+       The next loop picks up where the first leaves off.
+    */
     for (i = 0; i < NCH(n); i++) {
         ch = CHILD(n, i);
         if (TYPE(ch) == STAR) {
-            /* skip star and possible argument */
+            /* skip star */
             i++;
-            i += (TYPE(CHILD(n, i)) == tfpdef
-                  || TYPE(CHILD(n, i)) == vfpdef);
-            break; 
+            if (i < NCH(n) && /* skip argument following star */
+                (TYPE(CHILD(n, i)) == tfpdef ||
+                 TYPE(CHILD(n, i)) == vfpdef)) {
+                i++;
+            }
+            break;
         }
         if (TYPE(ch) == DOUBLESTAR) break;
         if (TYPE(ch) == vfpdef || TYPE(ch) == tfpdef) nposargs++;