Skip to content

py: Fix integer overflow in sequence repeat that corrupts memory. #19315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
P4P3R-HAK wants to merge 1 commit into
base: master
Choose a base branch
from
+23 −0
Open

py: Fix integer overflow in sequence repeat that corrupts memory. #19315

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions py/objlist.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,9 @@ static mp_obj_t list_binary_op(mp_binary_op_t op, mp_obj_t lhs, mp_obj_t rhs) {
if (n < 0) {
n = 0;
}
if (o->len != 0 && (size_t)n > SIZE_MAX / o->len) {
mp_raise_msg(&mp_type_OverflowError, MP_ERROR_TEXT("repeated list is too long"));
}
mp_obj_list_t *s = list_new(o->len * n);
mp_seq_multiply(o->items, sizeof(*o->items), o->len, n, s->items);
return MP_OBJ_FROM_PTR(s);
Expand Down
3 changes: 3 additions & 0 deletions py/objstr.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -393,6 +393,9 @@ mp_obj_t mp_obj_str_binary_op(mp_binary_op_t op, mp_obj_t lhs_in, mp_obj_t rhs_i
if (n <= 0) {
return make_empty_str_of_type(lhs_type);
}
if (lhs_len != 0 && (size_t)n > SIZE_MAX / lhs_len) {
mp_raise_msg(&mp_type_OverflowError, MP_ERROR_TEXT("repeated string is too long"));
}
vstr_t vstr;
vstr_init_len(&vstr, lhs_len * n);
mp_seq_multiply(lhs_data, sizeof(*lhs_data), lhs_len, n, vstr.buf);
Expand Down
3 changes: 3 additions & 0 deletions py/objtuple.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,9 @@ mp_obj_t mp_obj_tuple_binary_op(mp_binary_op_t op, mp_obj_t lhs, mp_obj_t rhs) {
if (n <= 0) {
return mp_const_empty_tuple;
}
if (o->len != 0 && (size_t)n > SIZE_MAX / o->len) {
mp_raise_msg(&mp_type_OverflowError, MP_ERROR_TEXT("repeated tuple is too long"));
}
mp_obj_tuple_t *s = MP_OBJ_TO_PTR(mp_obj_new_tuple(o->len * n, NULL));
mp_seq_multiply(o->items, sizeof(*o->items), o->len, n, s->items);
return MP_OBJ_FROM_PTR(s);
Expand Down
14 changes: 14 additions & 0 deletions tests/basics/sequence_repeat_overflow.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Repeating a sequence by a huge count must raise, not overflow the size
# calculation and corrupt memory.
import sys

# count chosen so that (length-8 sequence) * count wraps a size_t to a small value
word = 64 if sys.maxsize > 2**32 else 32
count = (1 << (word - 3)) + 1

for x in (b"01234567", "01234567", [0, 1, 2, 3, 4, 5, 6, 7], (0, 1, 2, 3, 4, 5, 6, 7)):
try:
x * count
print("no exception")
except (OverflowError, MemoryError):
print("caught")
Loading