https://github.com/python/cpython/commit/30a6bc842945e3e9c9c7db887ab495c428e... commit: 30a6bc842945e3e9c9c7db887ab495c428ec7074 branch: 3.6 author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> committer: Serhiy Storchaka <storchaka@gmail.com> date: 2017-12-03T23:27:21+02:00 summary: bpo-31619: Fixed integer overflow in converting huge strings to int. (GH-3884) (#4690) (cherry picked from commit 29ba688034fc4eef0693b86002cf7bee55d692af) files: M Objects/longobject.c diff --git a/Objects/longobject.c b/Objects/longobject.c index c0cd7c12be2..c3c0949189d 100644 --- a/Objects/longobject.c +++ b/Objects/longobject.c @@ -2016,7 +2016,7 @@ long_from_binary_base(const char **str, int base, PyLongObject **res) const char *p = *str; const char *start = p; char prev = 0; - int digits = 0; + Py_ssize_t digits = 0; int bits_per_char; Py_ssize_t n; PyLongObject *z; @@ -2259,8 +2259,9 @@ just 1 digit at the start, so that the copying code was exercised for every digit beyond the first. ***/ twodigits c; /* current input character */ + double fsize_z; Py_ssize_t size_z; - int digits = 0; + Py_ssize_t digits = 0; int i; int convwidth; twodigits convmultmax, convmult; @@ -2322,7 +2323,14 @@ digit beyond the first. * need to initialize z->ob_digit -- no slot is read up before * being stored into. */ - size_z = (Py_ssize_t)(digits * log_base_BASE[base]) + 1; + fsize_z = digits * log_base_BASE[base] + 1; + if (fsize_z > MAX_LONG_DIGITS) { + /* The same exception as in _PyLong_New(). */ + PyErr_SetString(PyExc_OverflowError, + "too many digits in integer"); + return NULL; + } + size_z = (Py_ssize_t)fsize_z; /* Uncomment next line to test exceedingly rare copy code */ /* size_z = 1; */ assert(size_z > 0);