From: Guido van Rossum Date: Mon, 23 Sep 2002 21:02:33 +0000 (+0000) Subject: Backport 2.93 from trunk: X-Git-Tag: v2.2.2b1~149 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1f4a01f7a7e888af95284e8bb1c5e6285ea2e262;p=thirdparty%2FPython%2Fcpython.git Backport 2.93 from trunk: Insert an overflow check when the sequence repetition count is outside the range of ints. The old code would pass random truncated bits to sq_repeat() on a 64-bit machine. --- diff --git a/Objects/intobject.c b/Objects/intobject.c index 5daf699ec88d..ee617654863d 100644 --- a/Objects/intobject.c +++ b/Objects/intobject.c @@ -361,14 +361,41 @@ int_mul(PyObject *v, PyObject *w) double doubleprod; /* (double)a * (double)b */ if (USE_SQ_REPEAT(v)) { + repeat: /* sequence * int */ a = PyInt_AsLong(w); +#if LONG_MAX != INT_MAX + if (a > INT_MAX) { + PyErr_SetString(PyExc_ValueError, + "sequence repeat count too large"); + return NULL; + } + else if (a < INT_MIN) + a = INT_MIN; + /* XXX Why don't I either + + - set a to -1 whenever it's negative (after all, + sequence repeat usually treats negative numbers + as zero(); or + + - raise an exception when it's less than INT_MIN? + + I'm thinking about a hypothetical use case where some + sequence type might use a negative value as a flag of + some kind. In those cases I don't want to break the + code by mapping all negative values to -1. But I also + don't want to break e.g. []*(-sys.maxint), which is + perfectly safe, returning []. As a compromise, I do + map out-of-range negative values. + */ +#endif return (*v->ob_type->tp_as_sequence->sq_repeat)(v, a); } if (USE_SQ_REPEAT(w)) { - /* int * sequence */ - a = PyInt_AsLong(v); - return (*w->ob_type->tp_as_sequence->sq_repeat)(w, a); + PyObject *tmp = v; + v = w; + w = tmp; + goto repeat; } CONVERT_TO_LONG(v, a);