bpo-36946: Fix possible signed integer overflow when handling slices. (GH-13375)
The final addition (cur += step) may overflow, so use size_t for "cur".
"cur" is always positive (even for negative steps), so it is safe to use
size_t here.
Co-Authored-By: Martin Panter <vadmium+py@gmail.com>
diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
index f5fc443..b1fb3ee 100644
--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@@ -1809,7 +1809,8 @@
return element_getitem(self_, i);
}
else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelen, cur, i;
+ Py_ssize_t start, stop, step, slicelen, i;
+ size_t cur;
PyObject* list;
if (!self->extra)
@@ -1861,7 +1862,8 @@
return element_setitem(self_, i, value);
}
else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelen, newlen, cur, i;
+ Py_ssize_t start, stop, step, slicelen, newlen, i;
+ size_t cur;
PyObject* recycle = NULL;
PyObject* seq;