[Python-checkins] bpo-36946: Fix possible signed integer overflow when handling slices. (GH-13375)
Miss Islington (bot)
webhook-mailer at python.org
Fri May 17 03:33:14 EDT 2019
https://github.com/python/cpython/commit/f02d1a43c6be658cd279edb90e8e96c99e1127e7
commit: f02d1a43c6be658cd279edb90e8e96c99e1127e7
branch: 3.7
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: GitHub <noreply at github.com>
date: 2019-05-17T00:33:10-07:00
summary:
bpo-36946: Fix possible signed integer overflow when handling slices. (GH-13375)
The final addition (cur += step) may overflow, so use size_t for "cur".
"cur" is always positive (even for negative steps), so it is safe to use
size_t here.
Co-Authored-By: Martin Panter <vadmium+py at gmail.com>
(cherry picked from commit 14514d9084a40f599c57da853a305aa264562a43)
Co-authored-by: Zackery Spytz <zspytz at gmail.com>
files:
A Misc/NEWS.d/next/Core and Builtins/2019-05-16-23-53-45.bpo-36946.qjxr0Y.rst
M Lib/ctypes/test/test_arrays.py
M Lib/test/seq_tests.py
M Lib/test/string_tests.py
M Lib/test/test_array.py
M Lib/test/test_bytes.py
M Lib/test/test_mmap.py
M Modules/_ctypes/_ctypes.c
M Modules/_elementtree.c
M Modules/arraymodule.c
M Modules/mmapmodule.c
M Objects/bytearrayobject.c
M Objects/bytesobject.c
M Objects/tupleobject.c
M Objects/unicodeobject.c
diff --git a/Lib/ctypes/test/test_arrays.py b/Lib/ctypes/test/test_arrays.py
index ca271341ed9a..37719399e277 100644
--- a/Lib/ctypes/test/test_arrays.py
+++ b/Lib/ctypes/test/test_arrays.py
@@ -69,6 +69,17 @@ def test_simple(self):
from operator import delitem
self.assertRaises(TypeError, delitem, ca, 0)
+ def test_step_overflow(self):
+ a = (c_int * 5)()
+ a[3::sys.maxsize] = (1,)
+ self.assertListEqual(a[3::sys.maxsize], [1])
+ a = (c_char * 5)()
+ a[3::sys.maxsize] = b"A"
+ self.assertEqual(a[3::sys.maxsize], b"A")
+ a = (c_wchar * 5)()
+ a[3::sys.maxsize] = u"X"
+ self.assertEqual(a[3::sys.maxsize], u"X")
+
def test_numeric_arrays(self):
alen = 5
diff --git a/Lib/test/seq_tests.py b/Lib/test/seq_tests.py
index 6aedd2be94db..65b110ef7818 100644
--- a/Lib/test/seq_tests.py
+++ b/Lib/test/seq_tests.py
@@ -209,6 +209,7 @@ def test_getslice(self):
a = self.type2test([0,1,2,3,4])
self.assertEqual(a[ -pow(2,128): 3 ], self.type2test([0,1,2]))
self.assertEqual(a[ 3: pow(2,145) ], self.type2test([3,4]))
+ self.assertEqual(a[3::sys.maxsize], self.type2test([3]))
def test_contains(self):
u = self.type2test([0, 1, 2])
diff --git a/Lib/test/string_tests.py b/Lib/test/string_tests.py
index 561b09a2d5ee..329246d3307b 100644
--- a/Lib/test/string_tests.py
+++ b/Lib/test/string_tests.py
@@ -1135,7 +1135,7 @@ def test_slice(self):
def test_extended_getslice(self):
# Test extended slicing by comparing with list slicing.
s = string.ascii_letters + string.digits
- indices = (0, None, 1, 3, 41, -1, -2, -37)
+ indices = (0, None, 1, 3, 41, sys.maxsize, -1, -2, -37)
for start in indices:
for stop in indices:
# Skip step 0 (invalid)
diff --git a/Lib/test/test_array.py b/Lib/test/test_array.py
index e9218f3dd68c..5fd0238f4fc3 100644
--- a/Lib/test/test_array.py
+++ b/Lib/test/test_array.py
@@ -745,7 +745,7 @@ def test_extended_getslice(self):
# Test extended slicing by comparing with list slicing
# (Assumes list conversion works correctly, too)
a = array.array(self.typecode, self.example)
- indices = (0, None, 1, 3, 19, 100, -1, -2, -31, -100)
+ indices = (0, None, 1, 3, 19, 100, sys.maxsize, -1, -2, -31, -100)
for start in indices:
for stop in indices:
# Everything except the initial 0 (invalid step)
@@ -843,7 +843,7 @@ def test_setslice(self):
self.assertRaises(TypeError, a.__setitem__, slice(0, 1), b)
def test_extended_set_del_slice(self):
- indices = (0, None, 1, 3, 19, 100, -1, -2, -31, -100)
+ indices = (0, None, 1, 3, 19, 100, sys.maxsize, -1, -2, -31, -100)
for start in indices:
for stop in indices:
# Everything except the initial 0 (invalid step)
diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py
index 274616bf998d..3387a1b118fe 100644
--- a/Lib/test/test_bytes.py
+++ b/Lib/test/test_bytes.py
@@ -283,7 +283,7 @@ def test_extended_getslice(self):
# Test extended slicing by comparing with list slicing.
L = list(range(255))
b = self.type2test(L)
- indices = (0, None, 1, 3, 19, 100, -1, -2, -31, -100)
+ indices = (0, None, 1, 3, 19, 100, sys.maxsize, -1, -2, -31, -100)
for start in indices:
for stop in indices:
# Skip step 0 (invalid)
@@ -1238,7 +1238,8 @@ def test_del_expand(self):
self.assertLessEqual(sys.getsizeof(b), size)
def test_extended_set_del_slice(self):
- indices = (0, None, 1, 3, 19, 300, 1<<333, -1, -2, -31, -300)
+ indices = (0, None, 1, 3, 19, 300, 1<<333, sys.maxsize,
+ -1, -2, -31, -300)
for start in indices:
for stop in indices:
# Skip invalid step 0
diff --git a/Lib/test/test_mmap.py b/Lib/test/test_mmap.py
index 355af8cd5893..e6284cb98914 100644
--- a/Lib/test/test_mmap.py
+++ b/Lib/test/test_mmap.py
@@ -452,7 +452,7 @@ def test_extended_getslice(self):
m = mmap.mmap(-1, len(s))
m[:] = s
self.assertEqual(m[:], s)
- indices = (0, None, 1, 3, 19, 300, -1, -2, -31, -300)
+ indices = (0, None, 1, 3, 19, 300, sys.maxsize, -1, -2, -31, -300)
for start in indices:
for stop in indices:
# Skip step 0 (invalid)
@@ -464,7 +464,7 @@ def test_extended_set_del_slice(self):
# Test extended slicing by comparing with list slicing.
s = bytes(reversed(range(256)))
m = mmap.mmap(-1, len(s))
- indices = (0, None, 1, 3, 19, 300, -1, -2, -31, -300)
+ indices = (0, None, 1, 3, 19, 300, sys.maxsize, -1, -2, -31, -300)
for start in indices:
for stop in indices:
# Skip invalid step 0
diff --git a/Misc/NEWS.d/next/Core and Builtins/2019-05-16-23-53-45.bpo-36946.qjxr0Y.rst b/Misc/NEWS.d/next/Core and Builtins/2019-05-16-23-53-45.bpo-36946.qjxr0Y.rst
new file mode 100644
index 000000000000..aa5de80a2943
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2019-05-16-23-53-45.bpo-36946.qjxr0Y.rst
@@ -0,0 +1 @@
+Fix possible signed integer overflow when handling slices.
diff --git a/Modules/_ctypes/_ctypes.c b/Modules/_ctypes/_ctypes.c
index 153990309b7a..0692b458354c 100644
--- a/Modules/_ctypes/_ctypes.c
+++ b/Modules/_ctypes/_ctypes.c
@@ -4372,7 +4372,8 @@ Array_subscript(PyObject *myself, PyObject *item)
StgDictObject *stgdict, *itemdict;
PyObject *proto;
PyObject *np;
- Py_ssize_t start, stop, step, slicelen, cur, i;
+ Py_ssize_t start, stop, step, slicelen, i;
+ size_t cur;
if (PySlice_Unpack(item, &start, &stop, &step) < 0) {
return NULL;
@@ -4512,7 +4513,8 @@ Array_ass_subscript(PyObject *myself, PyObject *item, PyObject *value)
return Array_ass_item(myself, i, value);
}
else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelen, otherlen, i, cur;
+ Py_ssize_t start, stop, step, slicelen, otherlen, i;
+ size_t cur;
if (PySlice_Unpack(item, &start, &stop, &step) < 0) {
return -1;
diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
index 79f1ccd68565..1b8f81234df4 100644
--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@@ -1771,7 +1771,8 @@ element_subscr(PyObject* self_, PyObject* item)
return element_getitem(self_, i);
}
else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelen, cur, i;
+ Py_ssize_t start, stop, step, slicelen, i;
+ size_t cur;
PyObject* list;
if (!self->extra)
@@ -1823,7 +1824,8 @@ element_ass_subscr(PyObject* self_, PyObject* item, PyObject* value)
return element_setitem(self_, i, value);
}
else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelen, newlen, cur, i;
+ Py_ssize_t start, stop, step, slicelen, newlen, i;
+ size_t cur;
PyObject* recycle = NULL;
PyObject* seq;
diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c
index ee7ae54661b3..e6175e7dd904 100644
--- a/Modules/arraymodule.c
+++ b/Modules/arraymodule.c
@@ -2343,7 +2343,8 @@ array_subscr(arrayobject* self, PyObject* item)
return array_item(self, i);
}
else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelength, cur, i;
+ Py_ssize_t start, stop, step, slicelength, i;
+ size_t cur;
PyObject* result;
arrayobject* ar;
int itemsize = self->ob_descr->itemsize;
@@ -2527,7 +2528,8 @@ array_ass_subscr(arrayobject* self, PyObject* item, PyObject* value)
return 0;
}
else {
- Py_ssize_t cur, i;
+ size_t cur;
+ Py_ssize_t i;
if (needed != slicelength) {
PyErr_Format(PyExc_ValueError,
diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c
index f957e2c45ef5..223afacf3140 100644
--- a/Modules/mmapmodule.c
+++ b/Modules/mmapmodule.c
@@ -790,7 +790,8 @@ mmap_subscript(mmap_object *self, PyObject *item)
slicelen);
else {
char *result_buf = (char *)PyMem_Malloc(slicelen);
- Py_ssize_t cur, i;
+ size_t cur;
+ Py_ssize_t i;
PyObject *result;
if (result_buf == NULL)
@@ -910,7 +911,8 @@ mmap_ass_subscript(mmap_object *self, PyObject *item, PyObject *value)
memcpy(self->data + start, vbuf.buf, slicelen);
}
else {
- Py_ssize_t cur, i;
+ size_t cur;
+ Py_ssize_t i;
for (cur = start, i = 0;
i < slicelen;
diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
index 3f3e6bcf0cb8..8a0994ffa4ab 100644
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -420,7 +420,8 @@ bytearray_subscript(PyByteArrayObject *self, PyObject *index)
return PyLong_FromLong((unsigned char)(PyByteArray_AS_STRING(self)[i]));
}
else if (PySlice_Check(index)) {
- Py_ssize_t start, stop, step, slicelength, cur, i;
+ Py_ssize_t start, stop, step, slicelength, i;
+ size_t cur;
if (PySlice_Unpack(index, &start, &stop, &step) < 0) {
return NULL;
}
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index a5319da48daa..b4ba1a01ab16 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -1673,7 +1673,8 @@ bytes_subscript(PyBytesObject* self, PyObject* item)
return PyLong_FromLong((unsigned char)self->ob_sval[i]);
}
else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelength, cur, i;
+ Py_ssize_t start, stop, step, slicelength, i;
+ size_t cur;
char* source_buf;
char* result_buf;
PyObject* result;
diff --git a/Objects/tupleobject.c b/Objects/tupleobject.c
index 9bb91a5e65a0..7ee06e20e4a9 100644
--- a/Objects/tupleobject.c
+++ b/Objects/tupleobject.c
@@ -730,7 +730,8 @@ tuplesubscript(PyTupleObject* self, PyObject* item)
return tupleitem(self, i);
}
else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelength, cur, i;
+ Py_ssize_t start, stop, step, slicelength, i;
+ size_t cur;
PyObject* result;
PyObject* it;
PyObject **src, **dest;
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index e18937981bb7..ed1e4a4dd556 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -13989,7 +13989,8 @@ unicode_subscript(PyObject* self, PyObject* item)
i += PyUnicode_GET_LENGTH(self);
return unicode_getitem(self, i);
} else if (PySlice_Check(item)) {
- Py_ssize_t start, stop, step, slicelength, cur, i;
+ Py_ssize_t start, stop, step, slicelength, i;
+ size_t cur;
PyObject *result;
void *src_data, *dest_data;
int src_kind, dest_kind;
More information about the Python-checkins
mailing list