From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Wed, 3 Apr 2019 17:55:26 +0000 (-0700) Subject: bpo-36504: Fix signed integer overflow in _ctypes.c's PyCArrayType_new(). (GH-12660) X-Git-Tag: v3.7.4rc1~265 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9c08eeb30ca0e551323467b62ae40e08e30839b3;p=thirdparty%2FPython%2Fcpython.git bpo-36504: Fix signed integer overflow in _ctypes.c's PyCArrayType_new(). (GH-12660) (cherry picked from commit 487b73ab39c80157474821ef9083f51e0846bd62) Co-authored-by: Zackery Spytz --- diff --git a/Lib/ctypes/test/test_arrays.py b/Lib/ctypes/test/test_arrays.py index 6e562cfd24e6..ca271341ed9a 100644 --- a/Lib/ctypes/test/test_arrays.py +++ b/Lib/ctypes/test/test_arrays.py @@ -183,6 +183,12 @@ class ArrayTestCase(unittest.TestCase): _type_ = c_int _length_ = 1.87 + def test_bpo36504_signed_int_overflow(self): + # The overflow check in PyCArrayType_new() could cause signed integer + # overflow. + with self.assertRaises(OverflowError): + c_char * sys.maxsize * 2 + @unittest.skipUnless(sys.maxsize > 2**32, 'requires 64bit platform') @bigmemtest(size=_2G, memuse=1, dry_run=False) def test_large_array(self, size): diff --git a/Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst b/Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst new file mode 100644 index 000000000000..8ac209d4a789 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2019-04-02-04-10-32.bpo-36504.k_V8Bm.rst @@ -0,0 +1 @@ +Fix signed integer overflow in _ctypes.c's ``PyCArrayType_new()``. diff --git a/Modules/_ctypes/_ctypes.c b/Modules/_ctypes/_ctypes.c index be0b321bad03..153990309b7a 100644 --- a/Modules/_ctypes/_ctypes.c +++ b/Modules/_ctypes/_ctypes.c @@ -1466,7 +1466,7 @@ PyCArrayType_new(PyTypeObject *type, PyObject *args, PyObject *kwds) } itemsize = itemdict->size; - if (length * itemsize < 0) { + if (length > PY_SSIZE_T_MAX / itemsize) { PyErr_SetString(PyExc_OverflowError, "array too large"); goto error;