commit f02d1a43c6be658cd279edb90e8e96c99e1127e7
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Fri May 17 00:33:10 2019 -0700
committer GitHub <noreply@github.com> Fri May 17 00:33:10 2019 -0700
tree c27f46c3ad004c5a96eeb1b498076dabd7788350
parent aa73841a8fdded4a462d045d1eb03899cbeecd65

bpo-36946: Fix possible signed integer overflow when handling slices. (GH-13375)


The final addition (cur += step) may overflow, so use size_t for "cur".
"cur" is always positive (even for negative steps), so it is safe to use
size_t here.

Co-Authored-By: Martin Panter <vadmium+py@gmail.com>
(cherry picked from commit 14514d9084a40f599c57da853a305aa264562a43)

Co-authored-by: Zackery Spytz <zspytz@gmail.com>

Objects/bytesobject.c

diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index a5319da..b4ba1a0 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -1673,7 +1673,8 @@
         return PyLong_FromLong((unsigned char)self->ob_sval[i]);
     }
     else if (PySlice_Check(item)) {
-        Py_ssize_t start, stop, step, slicelength, cur, i;
+        Py_ssize_t start, stop, step, slicelength, i;
+        size_t cur;
         char* source_buf;
         char* result_buf;
         PyObject* result;