bpo-30061: Check if PyObject_Size()/PySequence_Size()/PyMapping_Size() (#1096) (#1180)
raised an error.
(cherry picked from commit bf623ae8843dc30b28c574bec8d29fc14be59d86)
diff --git a/Modules/_io/iobase.c b/Modules/_io/iobase.c
index f7986d7..c864204 100644
--- a/Modules/_io/iobase.c
+++ b/Modules/_io/iobase.c
@@ -625,7 +625,8 @@
if (line == NULL)
return NULL;
- if (PyObject_Size(line) == 0) {
+ if (PyObject_Size(line) <= 0) {
+ /* Error or empty */
Py_DECREF(line);
return NULL;
}
@@ -676,6 +677,7 @@
}
while (1) {
+ Py_ssize_t line_length;
PyObject *line = PyIter_Next(it);
if (line == NULL) {
if (PyErr_Occurred()) {
@@ -689,11 +691,14 @@
Py_DECREF(line);
goto error;
}
- length += PyObject_Size(line);
+ line_length = PyObject_Size(line);
Py_DECREF(line);
-
- if (length > hint)
+ if (line_length < 0) {
+ goto error;
+ }
+ if (line_length > hint - length)
break;
+ length += line_length;
}
Py_DECREF(it);
diff --git a/Modules/_winapi.c b/Modules/_winapi.c
index 91d4f01..248f458 100644
--- a/Modules/_winapi.c
+++ b/Modules/_winapi.c
@@ -722,17 +722,22 @@
return NULL;
}
- envsize = PyMapping_Length(environment);
-
keys = PyMapping_Keys(environment);
values = PyMapping_Values(environment);
if (!keys || !values)
goto error;
+ envsize = PySequence_Fast_GET_SIZE(keys);
+ if (PySequence_Fast_GET_SIZE(values) != envsize) {
+ PyErr_SetString(PyExc_RuntimeError,
+ "environment changed size during iteration");
+ goto error;
+ }
+
totalsize = 1; /* trailing null character */
for (i = 0; i < envsize; i++) {
- PyObject* key = PyList_GET_ITEM(keys, i);
- PyObject* value = PyList_GET_ITEM(values, i);
+ PyObject* key = PySequence_Fast_GET_ITEM(keys, i);
+ PyObject* value = PySequence_Fast_GET_ITEM(values, i);
if (! PyUnicode_Check(key) || ! PyUnicode_Check(value)) {
PyErr_SetString(PyExc_TypeError,
@@ -760,8 +765,8 @@
end = buffer + totalsize;
for (i = 0; i < envsize; i++) {
- PyObject* key = PyList_GET_ITEM(keys, i);
- PyObject* value = PyList_GET_ITEM(values, i);
+ PyObject* key = PySequence_Fast_GET_ITEM(keys, i);
+ PyObject* value = PySequence_Fast_GET_ITEM(values, i);
if (!PyUnicode_AsUCS4(key, p, end - p, 0))
goto error;
p += PyUnicode_GET_LENGTH(key);
diff --git a/Modules/cjkcodecs/multibytecodec.c b/Modules/cjkcodecs/multibytecodec.c
index d1da189..d6efc77 100644
--- a/Modules/cjkcodecs/multibytecodec.c
+++ b/Modules/cjkcodecs/multibytecodec.c
@@ -1670,6 +1670,9 @@
if (r == -1)
return NULL;
}
+ /* PySequence_Length() can fail */
+ if (PyErr_Occurred())
+ return NULL;
Py_RETURN_NONE;
}
diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c
index 2ea5e2d..f4bbc89 100644
--- a/Modules/posixmodule.c
+++ b/Modules/posixmodule.c
@@ -6650,7 +6650,7 @@
os_setgroups(PyObject *module, PyObject *groups)
/*[clinic end generated code: output=3fcb32aad58c5ecd input=fa742ca3daf85a7e]*/
{
- int i, len;
+ Py_ssize_t i, len;
gid_t grouplist[MAX_GROUPS];
if (!PySequence_Check(groups)) {
@@ -6658,6 +6658,9 @@
return NULL;
}
len = PySequence_Size(groups);
+ if (len < 0) {
+ return NULL;
+ }
if (len > MAX_GROUPS) {
PyErr_SetString(PyExc_ValueError, "too many groups");
return NULL;
@@ -7886,9 +7889,9 @@
#if (defined(HAVE_SENDFILE) && (defined(__FreeBSD__) || defined(__DragonFly__) \
|| defined(__APPLE__))) || defined(HAVE_READV) || defined(HAVE_WRITEV)
static Py_ssize_t
-iov_setup(struct iovec **iov, Py_buffer **buf, PyObject *seq, int cnt, int type)
+iov_setup(struct iovec **iov, Py_buffer **buf, PyObject *seq, Py_ssize_t cnt, int type)
{
- int i, j;
+ Py_ssize_t i, j;
Py_ssize_t blen, total = 0;
*iov = PyMem_New(struct iovec, cnt);
@@ -7965,8 +7968,7 @@
os_readv_impl(PyObject *module, int fd, PyObject *buffers)
/*[clinic end generated code: output=792da062d3fcebdb input=e679eb5dbfa0357d]*/
{
- int cnt;
- Py_ssize_t n;
+ Py_ssize_t cnt, n;
int async_err = 0;
struct iovec *iov;
Py_buffer *buf;
@@ -7978,6 +7980,8 @@
}
cnt = PySequence_Size(buffers);
+ if (cnt < 0)
+ return -1;
if (iov_setup(&iov, &buf, buffers, cnt, PyBUF_WRITABLE) < 0)
return -1;
@@ -8116,15 +8120,24 @@
"sendfile() headers must be a sequence");
return NULL;
} else {
- Py_ssize_t i = 0; /* Avoid uninitialized warning */
- sf.hdr_cnt = PySequence_Size(headers);
- if (sf.hdr_cnt > 0 &&
- (i = iov_setup(&(sf.headers), &hbuf,
- headers, sf.hdr_cnt, PyBUF_SIMPLE)) < 0)
+ Py_ssize_t i = PySequence_Size(headers);
+ if (i < 0)
return NULL;
+ if (i > INT_MAX) {
+ PyErr_SetString(PyExc_OverflowError,
+ "sendfile() header is too large");
+ return NULL;
+ }
+ if (i > 0) {
+ sf.hdr_cnt = (int)i;
+ i = iov_setup(&(sf.headers), &hbuf,
+ headers, sf.hdr_cnt, PyBUF_SIMPLE);
+ if (i < 0)
+ return NULL;
#ifdef __APPLE__
- sbytes += i;
+ sbytes += i;
#endif
+ }
}
}
if (trailers != NULL) {
@@ -8133,15 +8146,24 @@
"sendfile() trailers must be a sequence");
return NULL;
} else {
- Py_ssize_t i = 0; /* Avoid uninitialized warning */
- sf.trl_cnt = PySequence_Size(trailers);
- if (sf.trl_cnt > 0 &&
- (i = iov_setup(&(sf.trailers), &tbuf,
- trailers, sf.trl_cnt, PyBUF_SIMPLE)) < 0)
+ Py_ssize_t i = PySequence_Size(trailers);
+ if (i < 0)
return NULL;
+ if (i > INT_MAX) {
+ PyErr_SetString(PyExc_OverflowError,
+ "sendfile() trailer is too large");
+ return NULL;
+ }
+ if (i > 0) {
+ sf.trl_cnt = (int)i;
+ i = iov_setup(&(sf.trailers), &tbuf,
+ trailers, sf.trl_cnt, PyBUF_SIMPLE);
+ if (i < 0)
+ return NULL;
#ifdef __APPLE__
- sbytes += i;
+ sbytes += i;
#endif
+ }
}
}
@@ -8411,7 +8433,7 @@
os_writev_impl(PyObject *module, int fd, PyObject *buffers)
/*[clinic end generated code: output=56565cfac3aac15b input=5b8d17fe4189d2fe]*/
{
- int cnt;
+ Py_ssize_t cnt;
Py_ssize_t result;
int async_err = 0;
struct iovec *iov;
@@ -8423,6 +8445,8 @@
return -1;
}
cnt = PySequence_Size(buffers);
+ if (cnt < 0)
+ return -1;
if (iov_setup(&iov, &buf, buffers, cnt, PyBUF_SIMPLE) < 0) {
return -1;