bpo-36946: Fix possible signed integer overflow when handling slices. (GH-13375)
The final addition (cur += step) may overflow, so use size_t for "cur".
"cur" is always positive (even for negative steps), so it is safe to use
size_t here.
Co-Authored-By: Martin Panter <vadmium+py@gmail.com>
diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
index eaf5dce..8d5ba54 100644
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -410,7 +410,8 @@
return PyLong_FromLong((unsigned char)(PyByteArray_AS_STRING(self)[i]));
}
else if (PySlice_Check(index)) {
- Py_ssize_t start, stop, step, slicelength, cur, i;
+ Py_ssize_t start, stop, step, slicelength, i;
+ size_t cur;
if (PySlice_Unpack(index, &start, &stop, &step) < 0) {
return NULL;
}
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index b7c5b75..ebbdb7c 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -1677,7 +1677,8 @@
return PyLong_FromLong((unsigned char)self->ob_sval[i]);
}
else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelength, cur, i;
+ Py_ssize_t start, stop, step, slicelength, i;
+ size_t cur;
char* source_buf;
char* result_buf;
PyObject* result;
diff --git a/Objects/tupleobject.c b/Objects/tupleobject.c
index 9f0fc1c..dc1d0e5 100644
--- a/Objects/tupleobject.c
+++ b/Objects/tupleobject.c
@@ -753,7 +753,8 @@
return tupleitem(self, i);
}
else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelength, cur, i;
+ Py_ssize_t start, stop, step, slicelength, i;
+ size_t cur;
PyObject* result;
PyObject* it;
PyObject **src, **dest;
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index eaba583..0aa5e4a 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -13991,7 +13991,8 @@
i += PyUnicode_GET_LENGTH(self);
return unicode_getitem(self, i);
} else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelength, cur, i;
+ Py_ssize_t start, stop, step, slicelength, i;
+ size_t cur;
PyObject *result;
void *src_data, *dest_data;
int src_kind, dest_kind;