From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Fri, 10 Jan 2025 03:56:35 +0000 (+0100) Subject: [3.13] gh-126862: Use `Py_ssize_t` instead of `int` when processing the number of... X-Git-Tag: v3.13.2~119 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5370ad100d1801925a1e037314289c3bd433a4e5;p=thirdparty%2FPython%2Fcpython.git [3.13] gh-126862: Use `Py_ssize_t` instead of `int` when processing the number of super-classes (GH-127523) (#128699) gh-126862: Use `Py_ssize_t` instead of `int` when processing the number of super-classes (GH-127523) (cherry picked from commit 2fcdc8488c32d18f4567f797094068a994777f16) Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-12-02-18-15-37.gh-issue-126862.fdIK7T.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-02-18-15-37.gh-issue-126862.fdIK7T.rst new file mode 100644 index 000000000000..d930c2963e36 --- /dev/null +++ b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-02-18-15-37.gh-issue-126862.fdIK7T.rst @@ -0,0 +1,2 @@ +Fix a possible overflow when a class inherits from an absurd number of +super-classes. Reported by Valery Fedorenko. Patch by Bénédikt Tran. diff --git a/Objects/typeobject.c b/Objects/typeobject.c index 20b99816593c..093ebac9b501 100644 --- a/Objects/typeobject.c +++ b/Objects/typeobject.c @@ -2649,7 +2649,7 @@ vectorcall_maybe(PyThreadState *tstate, PyObject *name, */ static int -tail_contains(PyObject *tuple, int whence, PyObject *o) +tail_contains(PyObject *tuple, Py_ssize_t whence, PyObject *o) { Py_ssize_t j, size; size = PyTuple_GET_SIZE(tuple); @@ -2712,7 +2712,7 @@ check_duplicates(PyObject *tuple) */ static void -set_mro_error(PyObject **to_merge, Py_ssize_t to_merge_size, int *remain) +set_mro_error(PyObject **to_merge, Py_ssize_t to_merge_size, Py_ssize_t *remain) { Py_ssize_t i, n, off; char buf[1000]; @@ -2767,13 +2767,13 @@ pmerge(PyObject *acc, PyObject **to_merge, Py_ssize_t to_merge_size) { int res = 0; Py_ssize_t i, j, empty_cnt; - int *remain; + Py_ssize_t *remain; /* remain stores an index into each sublist of to_merge. remain[i] is the index of the next base in to_merge[i] that is not included in acc. */ - remain = PyMem_New(int, to_merge_size); + remain = PyMem_New(Py_ssize_t, to_merge_size); if (remain == NULL) { PyErr_NoMemory(); return -1;