Forward-port of r52136,52138: a review of overflow-detecting code.
* unified the way intobject, longobject and mystrtoul handle
values around -sys.maxint-1.
* in general, trying to entierely avoid overflows in any computation
involving signed ints or longs is extremely involved. Fixed a few
simple cases where a compiler might be too clever (but that's all
guesswork).
* more overflow checks against bad data in marshal.c.
* 2.5 specific: fixed a number of places that were still confusing int
and Py_ssize_t. Some of them could potentially have caused
"real-world" breakage.
* list.pop(x): fixing overflow issues on x was messy. I just reverted
to PyArg_ParseTuple("n"), which does the right thing. (An obscure
test was trying to give a Decimal to list.pop()... doesn't make
sense any more IMHO)
* trying to write a few tests...
diff --git a/Python/errors.c b/Python/errors.c
index 7b71051..66a734e 100644
--- a/Python/errors.c
+++ b/Python/errors.c
@@ -551,7 +551,8 @@
goto failure;
}
if (PyDict_GetItemString(dict, "__module__") == NULL) {
- modulename = PyString_FromStringAndSize(name, (int)(dot-name));
+ modulename = PyString_FromStringAndSize(name,
+ (Py_ssize_t)(dot-name));
if (modulename == NULL)
goto failure;
if (PyDict_SetItemString(dict, "__module__", modulename) != 0)
diff --git a/Python/getargs.c b/Python/getargs.c
index b676a5e..a848116 100644
--- a/Python/getargs.c
+++ b/Python/getargs.c
@@ -815,7 +815,7 @@
#endif
else
return converterr("string", arg, msgbuf, bufsize);
- if ((int)strlen(*p) != PyString_Size(arg))
+ if ((Py_ssize_t)strlen(*p) != PyString_Size(arg))
return converterr("string without null bytes",
arg, msgbuf, bufsize);
}
@@ -882,7 +882,7 @@
format++;
}
else if (*p != NULL &&
- (int)strlen(*p) != PyString_Size(arg))
+ (Py_ssize_t)strlen(*p) != PyString_Size(arg))
return converterr(
"string without null bytes or None",
arg, msgbuf, bufsize);
@@ -1029,7 +1029,8 @@
PyMem_Free()ing it after usage
*/
- if ((int)strlen(PyString_AS_STRING(s)) != size) {
+ if ((Py_ssize_t)strlen(PyString_AS_STRING(s))
+ != size) {
Py_DECREF(s);
return converterr(
"(encoded string without NULL bytes)",
diff --git a/Python/marshal.c b/Python/marshal.c
index c3bc87f..776836e 100644
--- a/Python/marshal.c
+++ b/Python/marshal.c
@@ -546,6 +546,11 @@
int size;
PyLongObject *ob;
n = r_long(p);
+ if (n < -INT_MAX || n > INT_MAX) {
+ PyErr_SetString(PyExc_ValueError,
+ "bad marshal data");
+ return NULL;
+ }
size = n<0 ? -n : n;
ob = _PyLong_New(size);
if (ob == NULL)
@@ -654,7 +659,7 @@
case TYPE_INTERNED:
case TYPE_STRING:
n = r_long(p);
- if (n < 0) {
+ if (n < 0 || n > INT_MAX) {
PyErr_SetString(PyExc_ValueError, "bad marshal data");
return NULL;
}
@@ -689,7 +694,7 @@
char *buffer;
n = r_long(p);
- if (n < 0) {
+ if (n < 0 || n > INT_MAX) {
PyErr_SetString(PyExc_ValueError, "bad marshal data");
return NULL;
}
@@ -710,7 +715,7 @@
case TYPE_TUPLE:
n = r_long(p);
- if (n < 0) {
+ if (n < 0 || n > INT_MAX) {
PyErr_SetString(PyExc_ValueError, "bad marshal data");
return NULL;
}
@@ -733,7 +738,7 @@
case TYPE_LIST:
n = r_long(p);
- if (n < 0) {
+ if (n < 0 || n > INT_MAX) {
PyErr_SetString(PyExc_ValueError, "bad marshal data");
return NULL;
}
@@ -831,10 +836,11 @@
v = NULL;
- argcount = r_long(p);
- nlocals = r_long(p);
- stacksize = r_long(p);
- flags = r_long(p);
+ /* XXX ignore long->int overflows for now */
+ argcount = (int)r_long(p);
+ nlocals = (int)r_long(p);
+ stacksize = (int)r_long(p);
+ flags = (int)r_long(p);
code = r_object(p);
if (code == NULL)
goto code_error;
@@ -859,7 +865,7 @@
name = r_object(p);
if (name == NULL)
goto code_error;
- firstlineno = r_long(p);
+ firstlineno = (int)r_long(p);
lnotab = r_object(p);
if (lnotab == NULL)
goto code_error;
@@ -1031,10 +1037,16 @@
wf.strings = (version > 0) ? PyDict_New() : NULL;
w_object(x, &wf);
Py_XDECREF(wf.strings);
- if (wf.str != NULL)
- _PyString_Resize(&wf.str,
- (int) (wf.ptr -
- PyString_AS_STRING((PyStringObject *)wf.str)));
+ if (wf.str != NULL) {
+ char *base = PyString_AS_STRING((PyStringObject *)wf.str);
+ if (wf.ptr - base > PY_SSIZE_T_MAX) {
+ Py_DECREF(wf.str);
+ PyErr_SetString(PyExc_OverflowError,
+ "too much marshall data for a string");
+ return NULL;
+ }
+ _PyString_Resize(&wf.str, (Py_ssize_t)(wf.ptr - base));
+ }
if (wf.error) {
Py_XDECREF(wf.str);
PyErr_SetString(PyExc_ValueError,
diff --git a/Python/modsupport.c b/Python/modsupport.c
index e291014..1aa3df2 100644
--- a/Python/modsupport.c
+++ b/Python/modsupport.c
@@ -421,7 +421,7 @@
"string too long for Python string");
return NULL;
}
- n = (int)m;
+ n = (Py_ssize_t)m;
}
v = PyString_FromStringAndSize(str, n);
}
diff --git a/Python/mystrtoul.c b/Python/mystrtoul.c
index 0dda4be..f007057 100644
--- a/Python/mystrtoul.c
+++ b/Python/mystrtoul.c
@@ -195,13 +195,10 @@
return (unsigned long)-1;
}
-/* Checking for overflow in PyOS_strtol is a PITA since C doesn't define
- * anything about what happens when a signed integer operation overflows,
- * and some compilers think they're doing you a favor by being "clever"
- * then. Python assumes a 2's-complement representation, so that the bit
- * pattern for the largest postive signed long is LONG_MAX, and for
- * the smallest negative signed long is LONG_MAX + 1.
+/* Checking for overflow in PyOS_strtol is a PITA; see comments
+ * about PY_ABS_LONG_MIN in longobject.c.
*/
+#define PY_ABS_LONG_MIN (0-(unsigned long)LONG_MIN)
long
PyOS_strtol(char *str, char **ptr, int base)
@@ -224,8 +221,7 @@
if (sign == '-')
result = -result;
}
- else if (sign == '-' && uresult == (unsigned long)LONG_MAX + 1) {
- assert(LONG_MIN == -LONG_MAX-1);
+ else if (sign == '-' && uresult == PY_ABS_LONG_MIN) {
result = LONG_MIN;
}
else {
diff --git a/Python/sysmodule.c b/Python/sysmodule.c
index 2dbe283..6fbaba5 100644
--- a/Python/sysmodule.c
+++ b/Python/sysmodule.c
@@ -1225,7 +1225,7 @@
p = strchr(path, delim);
if (p == NULL)
p = strchr(path, '\0'); /* End of string */
- w = PyString_FromStringAndSize(path, (int) (p - path));
+ w = PyString_FromStringAndSize(path, (Py_ssize_t) (p - path));
if (w == NULL) {
Py_DECREF(v);
return NULL;