diff options
| author | Mark Dickinson <mdickinson@enthought.com> | 2011-09-25 15:34:32 +0100 |
|---|---|---|
| committer | Mark Dickinson <mdickinson@enthought.com> | 2011-09-25 15:34:32 +0100 |
| commit | c7d93b761413834e0ac39f5fc648565a2843121f (patch) | |
| tree | 0bcb66dfcb476fb49a59ce019943f293f003dbc0 /Objects | |
| parent | 50203a69b344e80be5000fe87aafad09e84cde85 (diff) | |
| download | cpython-git-c7d93b761413834e0ac39f5fc648565a2843121f.tar.gz | |
Issue #1621: Fix undefined behaviour from signed overflow in datetime module hashes, array and list iterations, and get_integer (stringlib/string_format.h)
Diffstat (limited to 'Objects')
| -rw-r--r-- | Objects/listobject.c | 6 | ||||
| -rw-r--r-- | Objects/stringlib/string_format.h | 14 |
2 files changed, 9 insertions, 11 deletions
diff --git a/Objects/listobject.c b/Objects/listobject.c index cada70857c..1c516e962b 100644 --- a/Objects/listobject.c +++ b/Objects/listobject.c @@ -2434,7 +2434,7 @@ list_subscript(PyListObject* self, PyObject* item) src = self->ob_item; dest = ((PyListObject *)result)->ob_item; for (cur = start, i = 0; i < slicelength; - cur += step, i++) { + cur += (size_t)step, i++) { it = src[cur]; Py_INCREF(it); dest[i] = it; @@ -2525,7 +2525,7 @@ list_ass_subscript(PyListObject* self, PyObject* item, PyObject* value) self->ob_item + cur + 1, lim * sizeof(PyObject *)); } - cur = start + slicelength*step; + cur = start + (size_t)slicelength * step; if (cur < (size_t)Py_SIZE(self)) { memmove(self->ob_item + cur - slicelength, self->ob_item + cur, @@ -2589,7 +2589,7 @@ list_ass_subscript(PyListObject* self, PyObject* item, PyObject* value) selfitems = self->ob_item; seqitems = PySequence_Fast_ITEMS(seq); for (cur = start, i = 0; i < slicelength; - cur += step, i++) { + cur += (size_t)step, i++) { garbage[i] = selfitems[cur]; ins = seqitems[i]; Py_INCREF(ins); diff --git a/Objects/stringlib/string_format.h b/Objects/stringlib/string_format.h index 6c7adcb01e..d992b6f53c 100644 --- a/Objects/stringlib/string_format.h +++ b/Objects/stringlib/string_format.h @@ -209,19 +209,17 @@ get_integer(const SubString *str) if (digitval < 0) return -1; /* - This trick was copied from old Unicode format code. It's cute, - but would really suck on an old machine with a slow divide - implementation. Fortunately, in the normal case we do not - expect too many digits. + Detect possible overflow before it happens: + + accumulator * 10 + digitval > PY_SSIZE_T_MAX if and only if + accumulator > (PY_SSIZE_T_MAX - digitval) / 10. */ - oldaccumulator = accumulator; - accumulator *= 10; - if ((accumulator+10)/10 != oldaccumulator+1) { + if (accumulator > (PY_SSIZE_T_MAX - digitval) / 10) { PyErr_Format(PyExc_ValueError, "Too many decimal digits in format string"); return -1; } - accumulator += digitval; + accumulator = accumulator * 10 + digitval; } return accumulator; } |