Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / f02d1a43c6be658cd279edb90e8e96c99e1127e7^! / . / Objects
commitf02d1a43c6be658cd279edb90e8e96c99e1127e7[log] [tgz]
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Fri May 17 00:33:10 2019 -0700
committerGitHub <noreply@github.com>Fri May 17 00:33:10 2019 -0700
treec27f46c3ad004c5a96eeb1b498076dabd7788350
parentaa73841a8fdded4a462d045d1eb03899cbeecd65 [diff]
bpo-36946: Fix possible signed integer overflow when handling slices. (GH-13375)


The final addition (cur += step) may overflow, so use size_t for "cur".
"cur" is always positive (even for negative steps), so it is safe to use
size_t here.

Co-Authored-By: Martin Panter <vadmium+py@gmail.com>
(cherry picked from commit 14514d9084a40f599c57da853a305aa264562a43)

Co-authored-by: Zackery Spytz <zspytz@gmail.com>
diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
index 3f3e6bc..8a0994f 100644
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c

@@ -420,7 +420,8 @@
         return PyLong_FromLong((unsigned char)(PyByteArray_AS_STRING(self)[i]));
     }
     else if (PySlice_Check(index)) {
-        Py_ssize_t start, stop, step, slicelength, cur, i;
+        Py_ssize_t start, stop, step, slicelength, i;
+        size_t cur;
         if (PySlice_Unpack(index, &start, &stop, &step) < 0) {
             return NULL;
         }

diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index a5319da..b4ba1a0 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c

@@ -1673,7 +1673,8 @@
         return PyLong_FromLong((unsigned char)self->ob_sval[i]);
     }
     else if (PySlice_Check(item)) {
-        Py_ssize_t start, stop, step, slicelength, cur, i;
+        Py_ssize_t start, stop, step, slicelength, i;
+        size_t cur;
         char* source_buf;
         char* result_buf;
         PyObject* result;

diff --git a/Objects/tupleobject.c b/Objects/tupleobject.c
index 9bb91a5..7ee06e2 100644
--- a/Objects/tupleobject.c
+++ b/Objects/tupleobject.c

@@ -730,7 +730,8 @@
         return tupleitem(self, i);
     }
     else if (PySlice_Check(item)) {
-        Py_ssize_t start, stop, step, slicelength, cur, i;
+        Py_ssize_t start, stop, step, slicelength, i;
+        size_t cur;
         PyObject* result;
         PyObject* it;
         PyObject **src, **dest;

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index e189379..ed1e4a4 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c

@@ -13989,7 +13989,8 @@
             i += PyUnicode_GET_LENGTH(self);
         return unicode_getitem(self, i);
     } else if (PySlice_Check(item)) {
-        Py_ssize_t start, stop, step, slicelength, cur, i;
+        Py_ssize_t start, stop, step, slicelength, i;
+        size_t cur;
         PyObject *result;
         void *src_data, *dest_data;
         int src_kind, dest_kind;