bpo-30061: Check if PyObject_Size()/PySequence_Size()/PyMapping_Size() (#1096) (#1180)
raised an error.
(cherry picked from commit bf623ae8843dc30b28c574bec8d29fc14be59d86)
diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c
index 2ea5e2d..f4bbc89 100644
--- a/Modules/posixmodule.c
+++ b/Modules/posixmodule.c
@@ -6650,7 +6650,7 @@
os_setgroups(PyObject *module, PyObject *groups)
/*[clinic end generated code: output=3fcb32aad58c5ecd input=fa742ca3daf85a7e]*/
{
- int i, len;
+ Py_ssize_t i, len;
gid_t grouplist[MAX_GROUPS];
if (!PySequence_Check(groups)) {
@@ -6658,6 +6658,9 @@
return NULL;
}
len = PySequence_Size(groups);
+ if (len < 0) {
+ return NULL;
+ }
if (len > MAX_GROUPS) {
PyErr_SetString(PyExc_ValueError, "too many groups");
return NULL;
@@ -7886,9 +7889,9 @@
#if (defined(HAVE_SENDFILE) && (defined(__FreeBSD__) || defined(__DragonFly__) \
|| defined(__APPLE__))) || defined(HAVE_READV) || defined(HAVE_WRITEV)
static Py_ssize_t
-iov_setup(struct iovec **iov, Py_buffer **buf, PyObject *seq, int cnt, int type)
+iov_setup(struct iovec **iov, Py_buffer **buf, PyObject *seq, Py_ssize_t cnt, int type)
{
- int i, j;
+ Py_ssize_t i, j;
Py_ssize_t blen, total = 0;
*iov = PyMem_New(struct iovec, cnt);
@@ -7965,8 +7968,7 @@
os_readv_impl(PyObject *module, int fd, PyObject *buffers)
/*[clinic end generated code: output=792da062d3fcebdb input=e679eb5dbfa0357d]*/
{
- int cnt;
- Py_ssize_t n;
+ Py_ssize_t cnt, n;
int async_err = 0;
struct iovec *iov;
Py_buffer *buf;
@@ -7978,6 +7980,8 @@
}
cnt = PySequence_Size(buffers);
+ if (cnt < 0)
+ return -1;
if (iov_setup(&iov, &buf, buffers, cnt, PyBUF_WRITABLE) < 0)
return -1;
@@ -8116,15 +8120,24 @@
"sendfile() headers must be a sequence");
return NULL;
} else {
- Py_ssize_t i = 0; /* Avoid uninitialized warning */
- sf.hdr_cnt = PySequence_Size(headers);
- if (sf.hdr_cnt > 0 &&
- (i = iov_setup(&(sf.headers), &hbuf,
- headers, sf.hdr_cnt, PyBUF_SIMPLE)) < 0)
+ Py_ssize_t i = PySequence_Size(headers);
+ if (i < 0)
return NULL;
+ if (i > INT_MAX) {
+ PyErr_SetString(PyExc_OverflowError,
+ "sendfile() header is too large");
+ return NULL;
+ }
+ if (i > 0) {
+ sf.hdr_cnt = (int)i;
+ i = iov_setup(&(sf.headers), &hbuf,
+ headers, sf.hdr_cnt, PyBUF_SIMPLE);
+ if (i < 0)
+ return NULL;
#ifdef __APPLE__
- sbytes += i;
+ sbytes += i;
#endif
+ }
}
}
if (trailers != NULL) {
@@ -8133,15 +8146,24 @@
"sendfile() trailers must be a sequence");
return NULL;
} else {
- Py_ssize_t i = 0; /* Avoid uninitialized warning */
- sf.trl_cnt = PySequence_Size(trailers);
- if (sf.trl_cnt > 0 &&
- (i = iov_setup(&(sf.trailers), &tbuf,
- trailers, sf.trl_cnt, PyBUF_SIMPLE)) < 0)
+ Py_ssize_t i = PySequence_Size(trailers);
+ if (i < 0)
return NULL;
+ if (i > INT_MAX) {
+ PyErr_SetString(PyExc_OverflowError,
+ "sendfile() trailer is too large");
+ return NULL;
+ }
+ if (i > 0) {
+ sf.trl_cnt = (int)i;
+ i = iov_setup(&(sf.trailers), &tbuf,
+ trailers, sf.trl_cnt, PyBUF_SIMPLE);
+ if (i < 0)
+ return NULL;
#ifdef __APPLE__
- sbytes += i;
+ sbytes += i;
#endif
+ }
}
}
@@ -8411,7 +8433,7 @@
os_writev_impl(PyObject *module, int fd, PyObject *buffers)
/*[clinic end generated code: output=56565cfac3aac15b input=5b8d17fe4189d2fe]*/
{
- int cnt;
+ Py_ssize_t cnt;
Py_ssize_t result;
int async_err = 0;
struct iovec *iov;
@@ -8423,6 +8445,8 @@
return -1;
}
cnt = PySequence_Size(buffers);
+ if (cnt < 0)
+ return -1;
if (iov_setup(&iov, &buf, buffers, cnt, PyBUF_SIMPLE) < 0) {
return -1;