[3.9] bpo-43499: Restrict co_code to be under INT_MAX in codeobject (GH-20628) (GH...

(cherry picked from commit 3b3b83c965447a8329b34cb4befe6e9908880ee5)

diff --git a/Objects/codeobject.c b/Objects/codeobject.c
index 737635943aced57d3404782d287eb972c6545a9c..cb4fb6812433366c59dadc68805b8e6be2367b19 100644 (file)
--- a/Objects/codeobject.c
+++ b/Objects/codeobject.c
@@ -166,6 +166,14 @@ PyCode_NewWithPosOnlyArgs(int argcount, int posonlyargcount, int kwonlyargcount,
         return NULL;
     }
 
+    /* Make sure that code is indexable with an int, this is
+       a long running assumption in ceval.c and many parts of
+       the interpreter. */
+    if (PyBytes_GET_SIZE(code) > INT_MAX) {
+        PyErr_SetString(PyExc_OverflowError, "co_code larger than INT_MAX");
+        return NULL;
+    }
+
     /* Check for any inner or outer closure references */
     n_cellvars = PyTuple_GET_SIZE(cellvars);
     if (!n_cellvars && !PyTuple_GET_SIZE(freevars)) {

diff --git a/Objects/frameobject.c b/Objects/frameobject.c
index a2fc0a423747f2389b5e05ea31cbb0d39246bb0c..b511e4c832c77082d40d4c600ca230dec3534053 100644 (file)
--- a/Objects/frameobject.c
+++ b/Objects/frameobject.c
@@ -397,7 +397,9 @@ frame_setlineno(PyFrameObject *f, PyObject* p_new_lineno, void *Py_UNUSED(ignore
         return -1;
     }
 
-    int len = PyBytes_GET_SIZE(f->f_code->co_code)/sizeof(_Py_CODEUNIT);
+    /* PyCode_NewWithPosOnlyArgs limits co_code to be under INT_MAX so this
+     * should never overflow. */
+    int len = (int)(PyBytes_GET_SIZE(f->f_code->co_code) / sizeof(_Py_CODEUNIT));
     int *lines = marklines(f->f_code, len);
     if (lines == NULL) {
         return -1;